Core concept
SCP is JSON policy at OU/account level. Restricts what IAM users/roles can do. Complements IAM (both must allow).
Advertisement
How it works
Deny unused regions. Prevent creating root user access keys. Block turning off CloudTrail. Common SCPs.
Advertisement
Trade-offs + gotchas
Every multi-account org (which is most enterprises). Foundation of AWS governance.