Example SCP: Deny AWS account root user access


Service Control Policy example: Deny access to AWS resources for the AWS account root user

It’s generally a best practice to not use the root user to do your tasks in your AWS account. Instead, you should create an IAM admin user and use that to do administrative tasks.

Since the root user has full access to all your resources and billing information you should further protect it with the following steps:

As an additional layer of protection, you can set up a guardrail in the form of a Service Control Policy to deny access to AWS resources from the root user.

  "Version": "2012-10-17",
  "Statement": [
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
      "Action": "*",
      "Resource": "*",
      "Effect": "Deny",
      "Sid": "DenyRootUser"

How to create the AWS Service Control Policy

Log in to the AWS console and then go to the Service control policies tab under the AWS Organizations service where you can create the new policy.

Note: make sure to have AWS Organizations enabled.

Learn more about AWS Service Control Policies

If you are in a position where you have responsibility for the AWS Cloud infrastructure, then have a look at the complete guide to AWS Service Control Policies.

Danny Steenman

Is a Principal Cloud Consultant with a background in DevOps Engineering and thorough hands-on experience in architecting and building highly scalable distributed systems on AWS Cloud using Infrastructure as Code.

A prominent leader who is passionate about sharing AWS technical expertise by writing technical articles.