Service Control Policies

Service Control Policies (SCPs) that can be applied to accounts managed by AWS Organizations. SCPs enable you to restrict, at the account level of granularity, what services and actions the users, groups, and roles in those accounts can do.

This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.

This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.

This SCP prevents users or roles in any affected account from running any of the CloudWatch commands that could delete or change your dashboards or alarms.

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

This SCP prevents users or roles in any affected account from modifying network connectivity settings including Internet Gateways, NAT Gateways, or VPC Peering.

This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.

This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.

This SCP prevents users or roles in any affected account from leaving AWS Organizations, either directly as a command or through the console.

This SCP prevents users or roles in any affected account from disabling or modifying Amazon GuardDuty settings, either directly as a command or through the console.

This SCP prevents users or roles in any affected account from modifying the account and billing settings, either directly as a command or through the console.