Service Control Policies

Service Control Policies (SCPs) that can be applied to accounts managed by AWS Organizations. SCPs enable you to restrict, at the account level of granularity, what services and actions the users, groups, and roles in those accounts can do.

This SCP denies access to any operations outside of the specified AWS Region, except for actions in the listed services (These are global services that cannot be whitelisted based on region).

This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.

This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.

This SCP prevents users or roles in any affected account from running any of the CloudWatch commands that could delete or change your dashboards or alarms.

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

This SCP prevents users or roles in any affected account from modifying network connectivity settings including Internet Gateways, NAT Gateways, or VPC Peering.

This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.

This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account

This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.

This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.

This SCP prevents users or roles in any affected account from leaving AWS Organizations, either directly as a command or through the console.

This SCP prevents users or roles in any affected account from disabling or modifying Amazon GuardDuty settings, either directly as a command or through the console.

This SCP prevents users or roles in any affected account from modifying the account and billing settings, either directly as a command or through the console.

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization).

This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console.

This SCP prevents the launch of any EC2 instance type that is not whitelisted by the policy (default: t3.micro).

This SCP requires that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.