A service control policy (SCP) specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are similar to IAM permission policies, except that they don’t grant any permissions. Instead, SCPs specify the maximum permissions for an organization, organizational unit (OU), or account. When you attach an SCP to your organization root or OU, the SCP limits permissions for entities in member accounts. Even if a user is granted full administrator permissions with an IAM permission policy, any access that is not explicitly allowed or that is explicitly denied by the SCPs affecting that account is blocked.
For example, if you assign an SCP that allows only database service access to your “database” account, then any user, group, or role in that account is denied access to any other service’s operations. SCPs are available only when you enable all features in your organization.
You can attach an SCP to the following:
A root, which affects all accounts in the organization
An OU, which affects all accounts in that OU and all accounts in any OUs in that OU subtree
An individual account
The master account of the organization is not affected by any SCPs that are attached either to it or to any root or OU the master account might be in.
Source: AWS Organization