We're going to step through creating an SCP and adding it to an OU.

You're going to need the ID of the OU in question; you can fetch it from the organizations web console or use the CLI. It will look something like this: ou-bmdw-omzypry7.

We'll be preparing a policy document as well. In this example, we're going to add an SCP to the Sudden Valley OU to allow access to EC2 and S3. Here's what our SCP looks like:

{ 
    "Version":"2012-10-17", 
    "Statement":[ 
        { 
            "Effect":"Allow", 
            "Action":["EC2:*","S3:*"], 
            "Resource":"*" 
        } 
    ] 
}