I think, when you accept an invitation to join an AWS Organization, the management account of that organization does not automatically gain access to manage your account. The management account can only manage your account if you manually create the OrganizationAccountAccessRole.
If you only accept the invite and don’t create the OrganizationAccountAccessRole, the management account will not have access to your account. They will not be able to see or manage your resources.
Service Control Policies (SCPs) do not need the OrganizationAccountAccessRole to work. SCPs are used to set fine-grained permissions and control access to services and actions across all accounts in an organization. When you join an AWS Organization, any SCPs that are in place will automatically apply to your account. This means that accepting the invite could modify your account in terms of what services and actions are allowed or denied, even without the OrganizationAccountAccessRole.
However, it’s important to note that SCPs do not grant permissions. Instead, they are a means of restricting permissions that are otherwise granted by IAM policies. Therefore, even if an SCP allows a certain action, the action can only be performed if the necessary permissions are granted by an IAM policy.
Double check all of the above mentioned, just to be sure.
