Which of the following is a common use case for service control policies (SCPs)?

Service Control Policies (SCPs) are designed to manage permissions across an organization in AWS, especially when using AWS Organizations. They enable you to set guardrails that define the maximum available permissions for accounts in an organization.

Choosing to deny access to all regional APIs in non-approved regions is a practical use case of SCPs because it allows organizations to enforce compliance and security by controlling where resources can be accessed and managed. For instance, if an organization decides that only certain regions meet its compliance requirements or business needs, the SCP can effectively block access to any other regions. This approach helps ensure that sensitive data is not inadvertently exposed to regions that may not adhere to the necessary compliance standards.

Conversely, granting unlimited access to resources, only allowing administrative privileges, or restricting all users to their home directories do not align with the fundamental purpose of SCPs, which is about establishing boundaries and limits rather than elevating permissions or restricting access in ways that don’t involve comprehensive oversight. SCPs are most effective when used to create clearly defined operational parameters for teams within the organization.