Overview

This SCP requires that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.

Configuration template includes a CloudFormation custom resource to deploy into an AWS account.

Configuration Templates

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": false
                }
            }
        }
    ]
}

Actions



Customize Policy
No policy variables to customize
* Required field

Sources and Documentation

Configuration Source: AWS Documentation: Example Service Control Policies

Additional Documentation: