Service Control Policies

Service Control Policies (SCPs) that can be applied to accounts managed by AWS Organizations. SCPs enable you to restrict, at the account level of granularity, what services and actions the users, groups, and roles in those accounts can do.

23/23
FILTERS
 
Configuration Package
Multiple SCPs Package
Configuration Package
A configuration package to deploy common Service Control Policies (SCPs) in the master account of an AWS Organization. The package includes common SCPs to protect security and logging services (CloudTrail, GuardDuty, Config, CloudWatch, VPC Flow Logs), network connectivity settings, S3 and EC2 security measures, and more.
AWS
Whitelist Access to AWS Based on the Requested Region
Service Control Policy
This SCP denies access to any operations outside of the specified AWS Region, except for actions in the listed services (These are global services that cannot be whitelisted based on region).
CloudTrail
Prevent Users from Disabling AWS CloudTrail
Service Control Policy
This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.
Config
Prevent Users from Disabling AWS Config or Changing Its Rules
Service Control Policy
This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.
CloudWatch
Prevent Users from Disabling Amazon CloudWatch or Altering Its Configuration
Service Control Policy
This SCP prevents users or roles in any affected account from running any of the CloudWatch commands that could delete or change your dashboards or alarms.
VPC
Prevent Any VPC That Doesn't Already Have Internet Access from Getting It
Service Control Policy
This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.
Protect VPC Connectivity Settings from Modification
Service Control Policy
This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.
Protect VPC Internet and NAT Gateway Settings from any Modifications
Service Control Policy
This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.
Prevent Users from Deleting Amazon VPC Flow Logs
Service Control Policy
This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.
Flow Logs
S3
Prevent Users from Deleting S3 Buckets or Objects
Service Control Policy
This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.
Require Encryption on All Amazon S3 Buckets in an AWS Account
Service Control Policy
This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account
encryption
Prevent Users from Modifying S3 Block Public Access Settings
Service Control Policy
This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.
KMS
Prevent Users from Deleting KMS Keys
Service Control Policy
This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.
Organizations
Prevent Users from leaving AWS Organizations
Service Control Policy
This SCP prevents users or roles in any affected account from leaving AWS Organizations, either directly as a command or through the console.
GuardDuty
Prevent Users from Disabling or Modifying Amazon GuardDuty Settings
Service Control Policy
This SCP prevents users or roles in any affected account from disabling or modifying Amazon GuardDuty settings, either directly as a command or through the console.
Billing
Prevent Users from Modifying Account and Billing Settings
Service Control Policy
This SCP prevents users or roles in any affected account from modifying the account and billing settings, either directly as a command or through the console.
IAM
Restrict the Use of the Root User in an AWS Account
Service Control Policy
This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console.
Prevent Creation of New IAM Users or Access Keys
Service Control Policy
This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account.
Prevent Creation of New IAM Users or Access Keys with an Exception for an Administrator Role
Service Control Policy
This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account with an exception for a specified Administrator IAM role.
Prevent IAM Changes to a Specified IAM Role
Service Control Policy
This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).
Prevent IAM Changes to a Specified IAM Role with the Exception of that Role
Service Control Policy
This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization).
EC2
Require Amazon EC2 Instances to Use a Specific Type
Service Control Policy
This SCP prevents the launch of any EC2 instance type that is not whitelisted by the policy (default: t3.micro).
Require MFA to Stop an Amazon EC2 Instance
Service Control Policy
This SCP requires that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.
MFA