SCP, Tag, Backup, and AI Services Policy Overview¶

AWS Organizations supports four policy types that govern accounts in your organization. This page explains each type, how to discover them with runbooks, and how they relate to the CSDM-first tag taxonomy.

Business Value¶

These 3 enforcement guardrails protect cloud spend and compliance posture across the AWS organization.

Guardrail	Business Impact	Compliance
Service Control Policies	Prevents unauthorized services from running	APRA CPS 234 §36
Tag Policies	Enforces cost allocation attributes	Finance audit trail
Backup Policies	Mandates data protection schedules	Business continuity

Risk: No Enforcement Guardrails

Without SCPs and Tag Policies: uncontrolled service sprawl, cost allocation disputes taking weeks to resolve, APRA CPS 234 audit findings requiring expensive remediation. Estimated risk exposure: significant per audit cycle.

SCP Policy Coverage [UNVERIFIED-FORECAST]¶

pie title SCP Policy Coverage [UNVERIFIED-FORECAST]
    "Compliant Resources" : 85
    "Non-Compliant" : 10
    "Exempt" : 5

The Four Policy Types¶

Policy Type	AWS Name	Purpose	Profile
Service Control Policy (SCP)	`SERVICE_CONTROL_POLICY`	Restrict or allow API actions across accounts and OUs	`$AWS_MANAGEMENT_PROFILE`
Tag Policy	`TAG_POLICY`	Enforce tag key capitalization and allowed values	`$AWS_MANAGEMENT_PROFILE`
Backup Policy	`BACKUP_POLICY`	Define backup plans across accounts	`$AWS_MANAGEMENT_PROFILE`
AI Services Opt-Out	`AISERVICES_OPT_OUT_POLICY`	Opt accounts out of AWS AI service data sharing	`$AWS_MANAGEMENT_PROFILE`

Service Control Policies (SCP)¶

SCPs define the maximum permissions boundary for accounts and OUs. They do not grant permissions — they restrict the ceiling of what IAM policies can allow.

Common SCP patterns in multi-account LZ¶

Organization Root (FullAWSAccess — default)
├── Core OU
│   ├── DenyLeavingOrganization.json
│   └── DenyDisablingCloudTrail.json
├── Workload OU
│   ├── DenyRootAccountUsage.json
│   └── EnforceTaggingOnEC2.json
└── Sandbox OU
    └── LimitRegions.json

Discovering SCPs¶

export AWS_MANAGEMENT_PROFILE=<your-management-profile>

# List all SCPs
uv run runbooks inventory list-org-policies \
    --profile $AWS_MANAGEMENT_PROFILE \
    --policy-type SERVICE_CONTROL_POLICY \
    --output-dir tenants/b2b-energy/raw/organizations/

# Count unique SCP names
jq '[.Policies[].Name] | unique | length' \
    tenants/b2b-energy/raw/organizations/scp-policies.json

SCP phased rollout (3-phase)¶

The CSDM-first tag standard enforces bc:* tags via SCPs in three phases:

Phase	Enforcement Mode	Trigger
Monitor (Phase A — 2026-Q3)	No deny — CloudWatch metrics only	Tag governance v2.0 published
Warn (Phase B — 2026-Q4)	Tag Policy enforcement via `@@enforce`	bc:* rollout into terraform-aws-metering
Enforce (Phase C — 2027-Q1)	SCP deny on non-compliant resources	APRA CPS 234 §36 audit cycle

Tag Policies¶

Tag Policies enforce tag key capitalization (case-sensitive matching) and restrict allowed tag values. They do not prevent resource creation — they flag non-compliant tags in the AWS Console and can optionally prevent tagging of specific resource types.

Tag Policy and bc:* taxonomy¶

The CSDM-first tag taxonomy uses bc: prefixed keys (all lowercase). Tag Policy enforcement ensures:

bc:project is always lowercase (prevents BC:Project, Bc:project drift)
Allowed values for bc:environment are prod, staging, dev, sandbox
bc:technical-lead is present on all ec2:instance and rds:db resources

ServiceNow CSDM 5 compatibility target

Tag Policy enforces bc:* key consistency at the AWS layer. ServiceNow CSDM 5 class mapping is a compatibility target prepared; NOT integrated 2026 stage 1. Live CSDM API sync is deferred to CC-S2 Stage 2.

See CSDM-First Taxonomy for the full bc:* tag table.

Discovering Tag Policies¶

export AWS_MANAGEMENT_PROFILE=<your-management-profile>

# List all Tag Policies
uv run runbooks inventory list-org-policies \
    --profile $AWS_MANAGEMENT_PROFILE \
    --policy-type TAG_POLICY \
    --output-dir tenants/b2b-energy/raw/organizations/

# List policy names
jq '[.Policies[].Name]' \
    tenants/b2b-energy/raw/organizations/tag-policies.json

Backup Policies¶

Backup Policies define AWS Backup plans that are applied across accounts. A Backup Policy specifies backup frequency, retention period, and destination vault.

Common backup policy parameters¶

{
  "plans": {
    "daily-7day-retention": {
      "rules": {
        "DailyBackup": {
          "schedule_expression": {"@@assign": "cron(0 5 ? * * *)"},
          "target_backup_vault_name": {"@@assign": "Default"},
          "lifecycle": {
            "delete_after_days": {"@@assign": "7"}
          }
        }
      }
    }
  }
}

Discovering Backup Policies¶

export AWS_MANAGEMENT_PROFILE=<your-management-profile>

# List all Backup Policies
uv run runbooks inventory list-org-policies \
    --profile $AWS_MANAGEMENT_PROFILE \
    --policy-type BACKUP_POLICY \
    --output-dir tenants/b2b-energy/raw/organizations/

AI Services Opt-Out Policies (Chatbot Policies)¶

AWS AI services (Amazon Rekognition, Transcribe, Comprehend, Lex, etc.) may use customer data to improve their models unless opted out. These policies control that data sharing at the organization level.

Output filename: chatbot-policies.json

The runbooks CLI writes AI Services Opt-Out policies to chatbot-policies.json (matching HITL team convention). The AWS policy type name is AISERVICES_OPT_OUT_POLICY.

Discovering AI Services Opt-Out Policies¶

export AWS_MANAGEMENT_PROFILE=<your-management-profile>

# List AI Services Opt-Out Policies
uv run runbooks inventory list-org-policies \
    --profile $AWS_MANAGEMENT_PROFILE \
    --policy-type AISERVICES_OPT_OUT_POLICY \
    --output-dir tenants/b2b-energy/raw/organizations/

All Policies in One Command¶

export AWS_MANAGEMENT_PROFILE=<your-management-profile>

# Capture all 4 policy types at once
uv run runbooks inventory list-org-policies \
    --profile $AWS_MANAGEMENT_PROFILE \
    --policy-type ALL \
    --output-dir tenants/b2b-energy/raw/organizations/

# Verify all 4 files were written
ls tenants/b2b-energy/raw/organizations/*-policies.json

Policy Count Validation¶

After capture, cross-check policy counts against the AWS Console:

# SCP count from runbooks
jq '.Policies | length' tenants/b2b-energy/raw/organizations/scp-policies.json

# Tag Policy count from runbooks
jq '.Policies | length' tenants/b2b-energy/raw/organizations/tag-policies.json

# Cross-check SCP count via direct aws CLI
aws organizations list-policies \
    --filter SERVICE_CONTROL_POLICY \
    --profile $AWS_MANAGEMENT_PROFILE \
    --query 'Policies | length(@)'

CSDM-First Taxonomy — bc:* tag standard and SCP enforcement phases
CLI Reference — list-org-policies full help
Evidence Pack — b2b-energy policy capture results
Billing Tag Policy Template — production-ready Tag Policy JSON template