By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

Service Control Policies

A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts.

Configuration Package

A configuration package to deploy common Service Control Policies (SCPs) in the master account of an AWS Organization. The package includes common SCPs to protect security and logging services (CloudTrail, GuardDuty, Config, CloudWatch, VPC Flow Logs), network connectivity settings, S3 and EC2 security measures, and more.

CloudFormationTerraform
AWS

This SCP denies access to any operations outside of the specified AWS Region, except for actions in the listed services (These are global services that cannot be whitelisted based on region).

CloudFormationTerraformAWS CLI
CloudTrail

This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Config

This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.

CloudFormationTerraformAWS CLI
CloudWatch

This SCP prevents users or roles in any affected account from running any of the CloudWatch commands that could delete or change your dashboards or alarms.

CloudFormationTerraformAWS CLI
VPC

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

CloudFormationTerraformAWS CLI
S3

This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.

CloudFormationTerraformAWS CLI

This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.

CloudFormationTerraformAWS CLI
KMS

This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Organizations

This SCP prevents users or roles in any affected account from leaving AWS Organizations, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
GuardDuty

This SCP prevents users or roles in any affected account from disabling or modifying Amazon GuardDuty settings, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Billing

This SCP prevents users or roles in any affected account from modifying the account and billing settings, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
IAM

This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account with an exception for a specified Administrator IAM role.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization).

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from deleting AWS Access Analyzer in an AWS account.

CloudFormationTerraformAWS CLI
EC2

This SCP prevents the launch of any EC2 instance type that is not whitelisted by the policy (default: t3.micro).

CloudFormationTerraformAWS CLI

This SCP requires that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.

CloudFormationTerraformAWS CLI
Security Hub

This SCP prevents users or roles in any affected account from disabling AWS Security Hub, deleting member accounts or disassociating an account from a master Security Hub account.

CloudFormationTerraformAWS CLI
Macie

This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.

CloudFormationTerraformAWS CLI
RAM

This SCP prevents users or roles in any affected account from creating Resource Access Shares using RAM that are shared with external principals outside the organization

CloudFormationTerraformAWS CLI
Filter by source
 
Configuration Package
AWS
CloudTrail
Config
CloudWatch
VPC
S3
KMS
Organizations
GuardDuty
Billing
IAM
EC2
Security Hub
Macie
RAM