I would like to allow users in all accounts in my AWS Organization (under a number of different OUs) to access only a few AWS services: RDS, EC2, S3, etc. In other words, I need to prevent access to anything else. I was thinking about using SCP but denying access to so many services seems to be a bad idea (the FullAWSAccess service control policy is attached by default). I would like to ask if you have ever done something like that and if you have, how?
SCP is the way to go.
You can deny everything with a whitelist condition.
Please bear in mind that you need to reduce the scope of your SCP, otherwise you end up disabling AWS service roles to perform standard operations, e.g. if you use CloudFormation stacks.
Therefore, you should apply this SCP only to the roles used by your users and services.
Tip: use one role for implementing the SCP and one role to test it. Start small and progress in small steps. Otherwise you might exclude yourself from any service in the AWS console.