AWS SCPs now support full IAM syntax

AWS just gave SCPs a serious power boost.

Service control policies in AWS Organizations now support the full IAM policy language. That sounds technical, but here's what it means for you: your policies get simpler. A lot simpler.

What changed:

You can now use conditions in Allow statements. NotResource in Deny statements. NotAction with wildcards. Wildcards anywhere in Action strings, not just at the end. Individual resource ARNs instead of broad wildcards.

Why this matters:

Before this, writing tight, readable SCPs meant layering multiple statements on top of each other. Conditions only worked in Deny. You had to use workarounds—tagging principals, managing exceptions through convoluted logic. It was messy.

Now? You can write a single Deny statement with NotResource to block everything except specific resources. You can allow services only in certain regions using conditions. Your policy intent becomes obvious instead of buried in conditional logic.

Real example:

Bedrock model access. Old way: Allow bedrock:*, then explicitly Deny three specific model ARNs, and pray AWS doesn't add new models you don't want. New way: Allow bedrock:*, then Deny everything except amazon.* models. Cleaner. Safer. Future-proof.

Important:

AWS recommends explicit Deny statements as your primary control. Wildcards are powerful but can grant unintended permissions as services evolve. Use IAM Access Analyzer to validate policies before deployment—especially with custom policy checks in your CI/CD pipeline.

Available now across commercial and GovCloud regions.