Service Control Policies

Service Control Policies (SCPs) that can be applied to accounts managed by AWS Organizations. SCPs enable you to restrict, at the account level of granularity, what services and actions the users, groups, and roles in those accounts can do.

11/11
FILTERS
 
CloudTrail
Prevent Users from Disabling AWS CloudTrail
Service Control Policy
This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.
Config
Prevent Users from Disabling AWS Config or Changing Its Rules
Service Control Policy
This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.
CloudWatch
Prevent Users from Disabling Amazon CloudWatch or Altering Its Configuration
Service Control Policy
This SCP prevents users or roles in any affected account from running any of the CloudWatch commands that could delete or change your dashboards or alarms.
VPC
Prevent Users from Deleting Amazon VPC Flow Logs
Service Control Policy
This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.
Flow Logs
Prevent Any VPC That Doesn't Already Have Internet Access from Getting It
Service Control Policy
This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.
Prevent Users from Modifying Network Connectivity Settings: Internet Gateway, NAT Gateway or VPC Peering Settings
Service Control Policy
This SCP prevents users or roles in any affected account from modifying network connectivity settings including Internet Gateways, NAT Gateways, or VPC Peering.
S3
Prevent Users from Deleting S3 Buckets or Objects
Service Control Policy
This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.
KMS
Prevent Users from Deleting KMS Keys
Service Control Policy
This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.
Organizations
Prevent Users from leaving AWS Organizations
Service Control Policy
This SCP prevents users or roles in any affected account from leaving AWS Organizations, either directly as a command or through the console.
GuardDuty
Prevent Users from Disabling or Modifying Amazon GuardDuty Settings
Service Control Policy
This SCP prevents users or roles in any affected account from disabling or modifying Amazon GuardDuty settings, either directly as a command or through the console.
Billing
Prevent Users from Modifying Account and Billing Settings
Service Control Policy
This SCP prevents users or roles in any affected account from modifying the account and billing settings, either directly as a command or through the console.