This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).

See Related Configuration Items for a Configuration Package to deploy multiple SCPs to an AWS Account.

Configuration template includes a CloudFormation custom resource to deploy into an AWS account.

Configuration Templates

Missing Parameters
    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Resource": [
            "Effect": "Deny"


Customize Template

Policy Parameters

* Required field

Sources and Documentation

Configuration Source: AWS Documentation: Example Service Control Policies

Additional Documentation:

© 2020 asecurecloud Inc. All Rights Reserved.