You must be logged in to view saved presets
My Saved Presets
Security Controls
AWS Services
VPC Security Controls
EC2 Security Controls
IAM Security Controls
S3 Security Controls
RDS Security Controls
OpenSearch/Elasticsearch Security Controls
EFS Security Controls
Route53 Security Controls
Amazon DynamoDB & DAX
ECR Security Controls
EMR Security
Lambda Security
CloudFormation Security
CodeX Security Controls
CloudFront Security
AWS Certificate Manager (ACM) Security
Amazon GuardDuty
Amazon Inspector
AWS Security Hub
AWS Network FirewallRoute53 Resolver Security
Amazon Macie
AWS WAF & Shield
AWS Secrets Manager
AWS Systems Manager
AWS KMS
AWS SSO
Load Balancers & Auto Scaling
RDS Event Subscriptions
AWS Resource Access Manager (RAM)
Amazon ECS
Amazon EKS
Amazon API Gateway
AWS AppConfig
Amazon AppFlow
AWS App Mesh
AWS App Runner
AWS AppSync
Application Auto Scaling
Amazon Athena
AWS Batch
AWS Billing Conductor
AWS Clean Rooms
AWS SNS
AWS SQS
AWS Service Discovery
AWS Step Functions
AWS CloudTrail
AWS Config
Amazon EventBridge
AWS CloudWatch
AWS Cognito
Amazon Connect
AWS Glue
AWS Data Pipeline & Data Sync
Amazon Detective
AWS DevOps Guru
Amazon DocumentDB
Amazon ElastiCache
AWS Elastic Beanstalk
Amazon FSx
Amazon MQ
Amazon PrometheusAmazon Cassandra
Amazon FinSpace
AWS Fault Injection Simulator
Amazon GameLift
AWS Global Accelerator
Amazon Grafana
AWS IoT GreenGrass
AWS IoT Services
AWS Ground Station
Amazon IVS (Interactive Live Streams)
Amazon Kinesis
AWS LakeFormation
Amazon Lookout
Amazon Managed Blockchain
AWS Media Services
AWS Managed Apache Airflow
AWS OpsWorks
AWS Organizations
Amazon Personalize
Amazon QLDB
Amazon Redshift
Amazon Rekognition
AWS Resource ExplorerAWS Resource Groups
Amazon Lex & Alexa
AWS RoboMaker
Amazon SageMaker
AWS Service Catalog
Amazon SES
AWS SimSpace Weaver
AWS Support App
AWS Transfer
AWS X-Ray
AWS Amplify
AWS Appstream
AWS Audit ManagerAmazon Bedrock
AWS Cloud9
AWS CloudHSM
Amazon Neptune
Amazon QuicksightReference Guides
Configuration Packages
Guided Walkthroughs
Service Control Policies
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts.
AWS
Whitelist Access to AWS Based on the Requested Region
This SCP denies access to any operations outside of the specified AWS Region, except for actions in the listed services (These are global services that cannot be whitelisted based on region).
Restrict Region Enable/Disable Actions to a Privileged Role
This SCP restricts IAM principals in accounts from enabling/disabling AWS regions except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization)
VPC
Prevent Any VPC That Doesn't Already Have Internet Access from Getting It
This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.
Protect VPC Connectivity Settings from Modification
This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.
Protect VPC Internet and NAT Gateway Settings from any Modifications
This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.
Prevent Users from Deleting Amazon VPC Flow Logs
This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.
Restrict VPC CIDR to Specific IP Pools from Amazon VPC IPAM (IP Address Manager)
This SCP restrict users in your AWS Organizations account to creating VPCs with CIDRs from a specific IPv4 pool and associating CIDRs to the VPCs from the pool. Users in the account will not be able to create VPCs with CIDRs or associate CIDRs to VPCs from any other pools from the one you choose.
Prevent Users from Creating Default VPC and Subnet
This SCP prevents users or roles in any affected account from creating a default VPC or Subnets
S3
Prevent Users from Deleting S3 Buckets or Objects
This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.
Prevent Users Accessing S3 Reources Outside an AWS Organization
This SCP prevents users or roles in any affected account from accessing any S3 objects outside the specified AWS Organization
Require Encryption on All Amazon S3 Buckets in an AWS Account
This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account
Prevent Users from Modifying S3 Block Public Access Settings
This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.
Prevent Users from Deleting Glacier Vaults or Archives
This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.
Deny ACL Disablement for All New S3 Buckets
This SCP restricts IAM principals in accounts from creating new S3 buckets without ACLs disabled (bucket owner enforced)
IAM
Restrict the Use of the Root User in an AWS Account
This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console.
Prevent Creation of New IAM Users or Access Keys
This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account.
Prevent Creation of New IAM Users or Access Keys with an Exception for an Administrator Role
This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account with an exception for a specified Administrator IAM role.
Prevent Modification of IAM Password Policy with an Exception for an Administrator Role
This SCP restricts IAM principals from modifying existing IAM password policies in an AWS account with an exception for a specified Administrator IAM role.
Prevent IAM Changes to a Specified IAM Role
This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).
Prevent IAM Changes to a Specified IAM Role with the Exception of that Role
This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization).
Prevent Users from Disabling AWS Access Analyzer in an account
This SCP prevents users or roles in any affected account from deleting AWS Access Analyzer in an AWS account.
EC2
Require Amazon EC2 Instances to Use a Specific Type
This SCP prevents the launch of any EC2 instance type that is not whitelisted by the policy (default: t3.micro).
Require MFA to Stop an Amazon EC2 Instance
This SCP requires that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.
Prevent Users from Disabling EBS Default Encryption
This SCP prevents users or roles in any affected account from disabling ebs default encryption
Lambda
Prevent Users from Creating Open Lambda URLs
This SCP prevents users from creating open Lambda HTTP URLs that do not required authentication and enforces AWS_IAM authentication on all Lambda URLs
Prevent Modifications to Specific Lambda Functions
This SCP restricts IAM principals in accounts from making changes to specific Lambda Functions with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)
© 2025 asecurecloud. All rights reserved.