You must be logged in to view saved presets
Service Control Policies
Common Service Control Policies (SCPs) Package
A configuration package to deploy common Service Control Policies (SCPs) in the master account of an AWS Organization. The SCPs are grouped for different security domains and services: See full SCP Repository to browse individual SCP policies.
Premium: Get a security assessment for your AWS Organization and Accounts
A premium subscription is required for this contentYou can browse all Service Control Policies in our repository for free! Go to Library
Items
4
Size
2.3 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
ScpPolicy1:
Type: 'AWS::Organizations::Policy'
Properties:
Name: scp_account_protection
Content: '{"Version":"2012-10-17","Statement":[{"Action":"*","Resource":"*","Effect":"Deny","Condition":{"StringLike":{"aws:PrincipalArn":["arn:aws:iam::*:root"]}}},{"Action":["organizations:LeaveOrganization"],"Resource":"*","Effect":"Deny"},{"Action":["aws-portal:ModifyAccount","aws-portal:ModifyBilling","aws-portal:ModifyPaymentMethods"],"Resource":"*","Effect":"Deny"}]}'
Type: SERVICE_CONTROL_POLICY
Description: scp_account_protection
ScpPolicy2:
Type: 'AWS::Organizations::Policy'
Properties:
Name: scp_logging_services_protection
Content: '{"Version":"2012-10-17","Statement":[{"Action":["cloudtrail:StopLogging","cloudtrail:DeleteTrail"],"Resource":"*","Effect":"Deny"},{"Action":["config:DeleteConfigRule","config:DeleteConfigurationRecorder","config:DeleteDeliveryChannel","config:StopConfigurationRecorder"],"Resource":"*","Effect":"Deny"},{"Action":["guardduty:DeleteDetector","guardduty:DeleteInvitations","guardduty:DeleteIPSet","guardduty:DeleteMembers","guardduty:DeleteThreatIntelSet","guardduty:DisassociateFromMasterAccount","guardduty:DisassociateMembers","guardduty:StopMonitoringMembers","guardduty:UpdateDetector"],"Resource":"*","Effect":"Deny"},{"Action":["securityhub:DeleteInvitations","securityhub:DisableSecurityHub","securityhub:DisassociateFromMasterAccount","securityhub:DeleteMembers","securityhub:DisassociateMembers"],"Resource":"*","Effect":"Deny"}]}'
Type: SERVICE_CONTROL_POLICY
Description: scp_logging_services_protection
ScpPolicy3:
Type: 'AWS::Organizations::Policy'
Properties:
Name: scp_iam_protection
Content: '{"Version":"2012-10-17","Statement":[{"Action":["iam:CreateUser","iam:CreateAccessKey"],"Resource":["*"],"Effect":"Deny"}]}'
Type: SERVICE_CONTROL_POLICY
Description: scp_iam_protection
ScpPolicy4:
Type: 'AWS::Organizations::Policy'
Properties:
Name: scp_s3_protection
Content: '{"Version":"2012-10-17","Statement":[{"Action":["s3:PutAccountPublicAccessBlock"],"Resource":"*","Effect":"Deny"}]}'
Type: SERVICE_CONTROL_POLICY
Description: scp_s3_protection
Parameters: {}
Metadata: {}
Conditions: {}
© 2025 asecurecloud. All rights reserved.