AWS offers its customers multiple ways to enforce guardrails – a mechanism to allow developers or DevOps teams to achieve their goals while keeping pre-defined controls.
Service control policies (SCPs) allow configuring maximum allowed permissions identities have over resources within an AWS organization.
Resource control policies (RCPs) allow configuring the maximum allowed permissions on resources within an AWS organization.
Declarative policies allow customers to centrally enforce desired configuration state for AWS services using AWS Organizations console, AWS CLI, CloudFormation templates, and AWS Control Tower.
Permission boundaries define the maximum permissions granted using identity-based policies attached to an IAM user or IAM role.
Each alternative serves a slightly different purpose for accessing resources within AWS Organizations at a large scale.
AWS does not grant any access by default - if an AWS service has not been allowed using an SCP somewhere in the AWS Organization hierarchy, no identity will be able to consume it.
Designing SCPs, RCPs, and Declarative policies as guardrails have limitations and a maximum size of 5120 and 10000 characters, respectively.
Permission boundaries also have their limitations and a maximum size of 6144 characters.
It is recommended to read AWS documentation and watch the lecture 'Security invariants: From enterprise chaos to cloud order from AWS re:Invent 2024' for better understanding.