A collection of configuration templates for AWS Organizations resources as well as security controls for monitoring and protecting AWS Organizations configuration such as Config Rules, CloudWatch Alarms, EventBridge Rules, IAM policies, and more.

Organizations
AWS Organizations Resource Delegation Policy (Policy as Json)

This template creates an AWS::Organizations::ResourcePolicy resource that specifies the organization resource policy content as a JSON object. The organization resource policy allows the specified AWS account to perform the organizations:DescribeOrganization action on all resources.

CloudFormationTerraform
AWS Organizations Resource Delegation Policy (Policy as String)

This template creates an AWS::Organizations::ResourcePolicy resource that specifies the organization resource policy content as a JSON string. The organization resource policy allows the specified AWS account to perform the organizations:DescribeOrganization action on all resources.

CloudFormationTerraform
AWS Organizations Organization with FeatureSet ALL

This template creates an AWS Organizations Organization with the FeatureSet property set to ALL. The organization will have all available features enabled.

CloudFormationTerraform
AWS Organizations Organization with FeatureSet CONSOLIDATED_BILLING

This template creates an AWS Organizations Organization with the FeatureSet property set to CONSOLIDATED_BILLING. The organization will have consolidated billing enabled.

CloudFormationTerraform
AWS Organizations OU

This template creates an Organizational Unit (OU) named 'TestTemplateOU' directly under the root of the AWS Organizations. The template requires the 'OrganizationRootId' parameter to specify the root of the organization.

CloudFormationTerraform
AWS Organizations Nested OU Structure

This template creates a nested Organizational Unit (OU) structure.

CloudFormationTerraform
List AWS Organizations Policies for a Target

This template retrieves and lists all service control policies for the root of an AWS Organizations structure.

Terraform
Retrieve AWS Organizations Policies for a Target

This template fetches the current AWS Organizations root ID, filters for service control policies, and retrieves a specific organizational policy by ID.

Terraform
AWS Organizations Resource Policy Template

Creates a resource-based delegation policy in AWS Organizations to delegate policy management to a specified member account.

Terraform
Service Control Policy
Whitelist Access to AWS Based on the Requested Region

This SCP denies access to any operations outside of the specified AWS Region, except for actions in the listed services (These are global services that cannot be whitelisted based on region).

CloudFormationTerraformAWS CLI
Prevent Users from Disabling AWS CloudTrail

This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Prevent Users from Disabling AWS Config or Changing Its Rules

This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.

CloudFormationTerraformAWS CLI
Prevent Users from Disabling Amazon CloudWatch or Altering Its Configuration

This SCP prevents users or roles in any affected account from running any of the CloudWatch commands that could delete or change your dashboards or alarms.

CloudFormationTerraformAWS CLI
Prevent Any VPC That Doesn't Already Have Internet Access from Getting It

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

CloudFormationTerraformAWS CLI
Prevent Users from Deleting S3 Buckets or Objects

This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.

CloudFormationTerraformAWS CLI
Prevent Users Accessing S3 Reources Outside an AWS Organization

This SCP prevents users or roles in any affected account from accessing any S3 objects outside the specified AWS Organization

CloudFormationTerraformAWS CLI
Prevent Users from Deleting KMS Keys

This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Prevent Users from leaving AWS Organizations

This SCP prevents users or roles in any affected account from leaving AWS Organizations, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Prevent Users from Disabling or Modifying Amazon GuardDuty Settings

This SCP prevents users or roles in any affected account from disabling or modifying Amazon GuardDuty settings, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Prevent Users from Modifying Account and Billing Settings

This SCP prevents users or roles in any affected account from modifying the account and billing settings, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Protect VPC Connectivity Settings from Modification

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.

CloudFormationTerraformAWS CLI
Protect VPC Internet and NAT Gateway Settings from any Modifications

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.

CloudFormationTerraformAWS CLI
Restrict the Use of the Root User in an AWS Account

This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Prevent Creation of New IAM Users or Access Keys

This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account.

CloudFormationTerraformAWS CLI
Prevent Creation of New IAM Users or Access Keys with an Exception for an Administrator Role

This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account with an exception for a specified Administrator IAM role.

CloudFormationTerraformAWS CLI
Prevent Modification of IAM Password Policy with an Exception for an Administrator Role

This SCP restricts IAM principals from modifying existing IAM password policies in an AWS account with an exception for a specified Administrator IAM role.

CloudFormationTerraformAWS CLI
Prevent IAM Changes to a Specified IAM Role

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).

CloudFormationTerraformAWS CLI
Prevent IAM Changes to a Specified IAM Role with the Exception of that Role

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization).

CloudFormationTerraformAWS CLI
Require Encryption on All Amazon S3 Buckets in an AWS Account

This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account

CloudFormationTerraformAWS CLI
Require Amazon EC2 Instances to Use a Specific Type

This SCP prevents the launch of any EC2 instance type that is not whitelisted by the policy (default: t3.micro).

CloudFormationTerraformAWS CLI
Require MFA to Stop an Amazon EC2 Instance

This SCP requires that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.

CloudFormationTerraformAWS CLI
Prevent Users from Modifying S3 Block Public Access Settings

This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.

CloudFormationTerraformAWS CLI
Prevent Users from Deleting Amazon VPC Flow Logs

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

CloudFormationTerraformAWS CLI
Restrict VPC CIDR to Specific IP Pools from Amazon VPC IPAM (IP Address Manager)

This SCP restrict users in your AWS Organizations account to creating VPCs with CIDRs from a specific IPv4 pool and associating CIDRs to the VPCs from the pool. Users in the account will not be able to create VPCs with CIDRs or associate CIDRs to VPCs from any other pools from the one you choose.

CloudFormationTerraformAWS CLI
Prevent Users from Disabling AWS Security Hub in an account

This SCP prevents users or roles in any affected account from disabling AWS Security Hub, deleting member accounts or disassociating an account from a master Security Hub account.

CloudFormationTerraformAWS CLI
Prevent Users from Disabling AWS Access Analyzer in an account

This SCP prevents users or roles in any affected account from deleting AWS Access Analyzer in an AWS account.

CloudFormationTerraformAWS CLI
Prevent Users from Disabling Amazon Macie in an account

This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.

CloudFormationTerraformAWS CLI
Prevent Users from Deleting Glacier Vaults or Archives

This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.

CloudFormationTerraformAWS CLI
Prevent Sharing Resources to External Principals outside the Organization

This SCP prevents users or roles in any affected account from creating Resource Access Shares using RAM that are shared with external principals outside the organization

CloudFormationTerraformAWS CLI
Prevent Users from Creating Open Lambda URLs

This SCP prevents users from creating open Lambda HTTP URLs that do not required authentication and enforces AWS_IAM authentication on all Lambda URLs

CloudFormationTerraformAWS CLI
Prevent Users from Deleting and Changing AWS Backup Policies and Vaults

This SCP prevents users or roles in any affected account from deleting or changing AWS Backup policies and vaults

CloudFormationTerraformAWS CLI
Prevent Modifications to Specific CloudFormation Stacks

This SCP restricts IAM principals in accounts from making changes to specific CloudFormation stacks with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)

CloudFormationTerraformAWS CLI
Prevent Users from Disabling EBS Default Encryption

This SCP prevents users or roles in any affected account from disabling ebs default encryption

CloudFormationTerraformAWS CLI
Prevent Modifications to Specific Lambda Functions

This SCP restricts IAM principals in accounts from making changes to specific Lambda Functions with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)

CloudFormationTerraformAWS CLI
Restrict AWS Marketplace Product Subscription Changes to a Privileged Role

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization)

CloudFormationTerraformAWS CLI
Restrict Region Enable/Disable Actions to a Privileged Role

This SCP restricts IAM principals in accounts from enabling/disabling AWS regions except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization)

CloudFormationTerraformAWS CLI
Deny ACL Disablement for All New S3 Buckets

This SCP restricts IAM principals in accounts from creating new S3 buckets without ACLs disabled (bucket owner enforced)

CloudFormationTerraformAWS CLI
Prevent Modifications to Specific SNS Topics

This SCP restricts IAM principals in accounts from making changes to specific SNS topics with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)

CloudFormationTerraformAWS CLI
Prevent Users from Creating Default VPC and Subnet

This SCP prevents users or roles in any affected account from creating a default VPC or Subnets

CloudFormationTerraformAWS CLI