---
title: SCP should restrict root user actions
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > SCP should restrict root user actions
---

# SCP should restrict root user actions
 
## Description{% #description %}

A Service Control Policy (SCP) should be applied at the organization level to deny all actions performed by the root user. The root user has unrestricted access to all resources and should not be used for day-to-day activities. An SCP with an explicit deny for the root principal (`arn:aws:iam::*:root`) enforces this restriction across all member accounts.

This rule also flags SCPs that use `NotAction` with a root principal condition. Using `NotAction` instead of `Action: "*"` exempts specific actions from the root deny, creating a gap that could be exploited if the corresponding explicit deny is ever removed.

**Note**: SCPs do not apply to the management account. This rule verifies that at least one SCP exists with a deny statement targeting the root user principal, using `Action` (not `NotAction`).

## Remediation{% #remediation %}

Create an SCP that denies all actions (`Action: "*"`) when the principal is the root user and attach it to the organization root. Avoid using `NotAction` for root restriction policies. Refer to the [SCP syntax documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html) and the [AWS Organizations best practices](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html) for guidance.