In the AWS documentation of Policy evaluation logic there is the following image, describing the evaluation of policies logic:
The part for SCP has the following description (upper square in the second from the left): "is the principal's account a member of an organization with an applicable SCP?"
Further, the description below the image for the organization SCP say: "If there is no SCP, or if the SCP allows the requested action, the code continues.".
What I infer is that it is possible for an account member of an organization to not have any applicable SCP. Does that mean that an Organization may have no SCPs at all?
If so, why when trying to detach all policies I get the error: "you cannot remove the last policy attached to specific target. you must have at least one attached at all times".
Quick search in google gives me this result from the documentation: "Every root, OU, and account must have at least one SCP attached."
There is something I am missing but I can't figure out what: how can I have no SCP to check if I must have at least one SCP?
Note: I can have an organization without any SCP if I completely disable the SCP feature. My question is: is it possible for an account to be a member of an organization with the SCP feature on but not have any applicable SCP to it?
Tried what is described above
