Overview

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).

See Related Configuration Items for a Configuration Package to deploy multiple SCPs to an AWS Account.

Configuration template includes a CloudFormation custom resource to deploy into an AWS account.

Configuration Templates

Missing Parameters
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:AttachRolePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePermissionsBoundary",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:PutRolePermissionsBoundary",
                "iam:PutRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription"
            ],
            "Resource": [
                "arn:aws:iam::*:role/"
            ],
            "Effect": "Deny"
        }
    ]
}

Actions



Customize Policy
* Required field

Sources and Documentation

Configuration Source: AWS Documentation: Example Service Control Policies

Additional Documentation: