40 Powerful SCPs for AWS Organizations
AWS Organizations is a management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. You can create accounts in your organization and also invite existing accounts to join the organization.
One of the features of AWS Organizations is SCPs, which helps you specify the maximum permissions for member accounts in the organization. Using SCPs, you can restrict which AWS services, resources, and individual API actions the users and roles in each member account can access. You can also define conditions for when to restrict access to AWS services, resources, and API actions.
Here are the 40 powerful SCPs that you can implement on top of your AWS organization, OU, and AWS accounts to secure your AWS cloud infrastructure.
- Allow only approved services
The default SCP isFullAWSAccesswhich grants Allow of * on *. The only time your SCPs should include an Allow statement is either in that policy or by using a custom policy that lists allowed services. The allowed services you choose may be those that meet some compliance (ex. HIPAA), or those that the security team has otherwise approved.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Allow",
"Action": ["a4b:*","access-analyzer:*","account:*","acm:*","acm-pca:*","amplify:*","apigateway:*","application-autoscaling:*","applicationinsights:*","appmesh:*","appmesh-preview:*","appstream:*","appsync:*","arsenal:*","artifact:*","athena:*","autoscaling:*","autoscaling-plans:*","aws-marketplace:*","aws-marketplace-management:*","aws-portal:*","backup:*","backup-storage:*","batch:*","budgets:*","cassandra:*","ce:*","chatbot:*","chime:*","cloud9:*","clouddirectory:*","cloudformation:*","cloudfront:*","cloudhsm:*","cloudsearch:*","cloudtrail:*","cloudwatch:*","codebuild:*","codecommit:*","codedeploy:*","codeguru-profiler:*","codeguru-reviewer:*","codepipeline:*","codestar:*","codestar-notifications:*","cognito-identity:*","cognito-idp:*","cognito-sync:*","comprehend:*","comprehendmedical:*","compute-optimizer:*","config:*","connect:*","cur:*","dataexchange:*","datapipeline:*","datasync:*","dax:*","dbqms:*","deeplens:*","deepracer:*","detective:*","devicefarm:*","directconnect:*","discovery:*","dlm:*","dms:*","ds:*","dynamodb:*","ebs:*","ec2:*","ec2-instance-connect:*","ec2messages:*","ecr:*","ecs:*","eks:*","elastic-inference:*","elasticache:*","elasticbeanstalk:*","elasticfilesystem:*","elasticloadbalancing:*","elasticmapreduce:*","elastictranscoder:*","es:*","events:*","execute-api:*","firehose:*","fms:*","forecast:*","frauddetector:*","freertos:*","fsx:*","gamelift:*","glacier:*","globalaccelerator:*","glue:*","greengrass:*","groundstation:*","groundtruthlabeling:*","guardduty:*","health:*","iam:*","imagebuilder:*","importexport:*","inspector:*","iot:*","iot-device-tester:*","iot1click:*","iotanalytics:*","iotevents:*","iotsitewise:*","iotthingsgraph:*","kafka:*","kendra:*","kinesis:*","kinesisanalytics:*","kinesisvideo:*","kms:*","lakeformation:*","lambda:*","launchwizard:*","lex:*","license-manager:*","lightsail:*","logs:*","machinelearning:*","macie:*","managedblockchain:*","mechanicalturk:*","mediaconnect:*","mediaconvert:*","medialive:*","mediapackage:*","mediapackage-vod:*","mediastore:*","mediatailor:*","mgh:*","mobileanalytics:*","mobilehub:*","mobiletargeting:*","mq:*","neptune-db:*","networkmanager:*","opsworks:*","opsworks-cm:*","organizations:*","outposts:*","personalize:*","pi:*","polly:*","pricing:*","qldb:*","quicksight:*","ram:*","rds:*","rds-data:*","rds-db:*","redshift:*","rekognition:*","resource-groups:*","robomaker:*","route53:*","route53domains:*","route53resolver:*","s3:*","sagemaker:*","savingsplans:*","schemas:*","sdb:*","secretsmanager:*","securityhub:*","serverlessrepo:*","servicecatalog:*","servicediscovery:*","servicequotas:*","ses:*","shield:*","signer:*","sms:*","sms-voice:*","snowball:*","sns:*","sqs:*","ssm:*","ssmmessages:*","sso:*","sso-directory:*","states:*","storagegateway:*","sts:*","sumerian:*","support:*","swf:*","synthetics:*","tag:*","textract:*","transcribe:*","transfer:*","translate:*","trustedadvisor:*","waf:*","waf-regional:*","wafv2:*","wam:*","wellarchitected:*","workdocs:*","worklink:*","workmail:*","workmailmessageflow:*","workspaces:*","xray:*"],
"Resource": "*"
}
}2. Deny root user access
The AWS Control Tower service recommends an SCP for denying the root user. This is great because it mitigates the concerns on AWS around password recovery (ie. account take-over) that can happen with Root users. It also means that if the root user cannot be used, then there isn’t a need to set up a multi-factor device for the user.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "DenyRootUser",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": { "aws:PrincipalArn": "arn:aws:iam::*:root" }
}
}
}3. Require the use of IMDSv2
IMDSv2 is a more secure version of metadata service, which makes it harder to steal the IAM role from an EC2 unless you have full RCE (remote code execution) on the EC2.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireAllEc2RolesToUseV2",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NumericLessThan": {
"ec2:RoleDelivery": "2.0"
}
}
}
]
}4. Deny the ability to create IAM access keys
In order to avoid having long-lived credentials that never expire and can end up being exposed, some companies ban access keys entirely. This policy denies the ability to create IAM users and access keys.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": ["iam:CreateAccessKey", "iam:CreateUser"],
"Resource": "*"
}
}5. Region enforcement
AWS has 26 regions at this moment, though customers typically operate their workloads within one to four regions. This SCP gives you the ability to limit the regions used by accounts.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRegion",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"cur:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"mobileanalytics:*",
"organizations:*",
"route53:*",
"route53domains:*",
"shield:*",
"support:*",
"trustedadvisor:*",
"waf:*",
"wellarchitected:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"ap-southeast-2"
]
}
}
}
]
}6. Deny the ability to leave Organization
Once you’ve done all this hard work of setting guardrails in your account, you want to avoid having the accounts simply leave your organization where they would no longer be restricted by your SCPs, so this protects against that.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
}
}7. Deny the ability to make a VPC accessible from the Internet that isn’t already
A good strategy used by some companies is to set up the networking resources for an account as part of the initial account setup and then not allow that to be changed. As part of this, companies will provide sandbox or dev accounts that are not allowed to have publicly accessible network resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:CreateVpcPeeringConnection",
"ec2:AcceptVpcPeeringConnection",
"globalaccelerator:Create*",
"globalaccelerator:Update*"
],
"Resource": "*"
}
]
}8. Deny the ability to disrupt GuardDuty
GuardDuty is a great service from AWS for detecting compromises and more. This policy ensures it isn’t turned off, or that findings are filtered.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": [
"guardduty:DeleteDetector",
"guardduty:DisassociateFromMasterAccount",
"guardduty:UpdateDetector",
"guardduty:CreateFilter",
"guardduty:CreateIPSet"
],
"Resource": "*"
}
}9. Deny the ability to disrupt the CloudWatch Event collection
The preferred way of aggregating GuardDuty alerts and other real-time information from accounts is to use EventBridge CloudWatch Rules.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": [
"events:DeleteRule",
"events:DisableRule",
"events:RemoveTargets"
],
"Resource": "arn:aws:events:*:*:rule/default/CHANGEME"
}
}10. Deny the ability to modify an important IAM role
This policy can be used to deny modifications of an incident response or other security auditing role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessToASpecificRole",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/CHANGEME"
]
}
]
}11. Deny the creation of AWS resources without encryption.
Encryption allows you to introduce an additional authorization condition before granting access to data. When you use AWS KMS with other services, you can get further control over access to sensitive data.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
}
]
}12. Deny account from leaving the organization
When the account leaves an organization, it is no longer bound by the controls established within that organization. This SCP can be used to prevent someone from moving an account to a different organization that has a set of different controls that are not as restrictive, and there is, therefore a risk of someone making undesired changes.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
 "Resource": "*"
}
]
}13. Require Amazon EC2 instances to use a specific type.
With this SCP, any instance launches which do not use the t2.micro instance type are denied.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMicroInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:::instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}14. Require MFA to perform an API action.
Use an SCP like the following to require that multi-factor authentication (MFA) is enabled before an IAM user or role can perform an action. In this example, the action is to stop an Amazon EC2 instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyStopAndTerminateWhenMFAIsNotPresent",
"Effect": "Deny",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
}
]
}15. Block S3 buckte Public Access.
It is very important to secure our data in an s3 bucket, you should not have any s3 bucket publically accessible to everyone. Use an SCP like the following to prevent the bucket from making it publically accessible to everyone.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:PutAccountPublicAccessBlock"
],
"Resource": [
"*"
]
}
]
}16. Prevent IAM users and roles from making certain changes
This SCP restricts IAM users and roles from making changes to the specified IAM role that you created in all accounts in your organization.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessToASpecificRole",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/name-of-role-to-deny"
]
}
]
}17. Prevent IAM users and roles from making specified changes, with an exception for a specified admin role.
This SCP prevents IAM users and roles in affected accounts from making changes to a common administrative IAM role created in all accounts in your organization except for administrators using a specified role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessWithException",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/name-of-role-to-deny"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/name-of-admin-role-to-allow"
}
}
}
]
}18. Block service access for the root user.
This SCP restricts all access to the specified actions for the root user in a member account. If you want to prevent your accounts from using root credentials in specific ways, add your own actions to this policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictEC2ForRoot",
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:root"
]
}
}
}
]
}19. Prevent users from disabling CloudWatch or altering its configuration.
A lower-level CloudWatch operator needs to monitor dashboards and alarms. However, the operator must not be able to delete or change any dashboard or alarm that senior people might put into place. This SCP prevents users or roles in any affected account from running any of the CloudWatch commands that could delete or change your dashboards or alarms.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:DeleteDashboards",
"cloudwatch:DisableAlarmActions",
"cloudwatch:PutDashboard",
"cloudwatch:PutMetricAlarm",
"cloudwatch:SetAlarmState"
],
"Resource": "*"
}
]
}20. Prevent users from disabling AWS Config or changing its rules.
This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:StopConfigurationRecorder"
],
"Resource": "*"
}
]
}21. Prevent users from disabling GuardDuty or modifying its configuration.
This SCP prevents users or roles in any affected account from disabling GuardDuty or altering its configuration, either directly as a command or through the console. It effectively enables read-only access to GuardDuty information and resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"guardduty:AcceptInvitation",
"guardduty:ArchiveFindings",
"guardduty:CreateDetector",
"guardduty:CreateFilter",
"guardduty:CreateIPSet",
"guardduty:CreateMembers",
"guardduty:CreatePublishingDestination",
"guardduty:CreateSampleFindings",
"guardduty:CreateThreatIntelSet",
"guardduty:DeclineInvitations",
"guardduty:DeleteDetector",
"guardduty:DeleteFilter",
"guardduty:DeleteInvitations",
"guardduty:DeleteIPSet",
"guardduty:DeleteMembers",
"guardduty:DeletePublishingDestination",
"guardduty:DeleteThreatIntelSet",
"guardduty:DisassociateFromMasterAccount",
"guardduty:DisassociateMembers",
"guardduty:InviteMembers",
"guardduty:StartMonitoringMembers",
"guardduty:StopMonitoringMembers",
"guardduty:TagResource",
"guardduty:UnarchiveFindings",
"guardduty:UntagResource",
"guardduty:UpdateDetector",
"guardduty:UpdateFilter",
"guardduty:UpdateFindingsFeedback",
"guardduty:UpdateIPSet",
"guardduty:UpdatePublishingDestination",
"guardduty:UpdateThreatIntelSet"
],
"Resource": "*"
}
]
}22. Preventing external sharing.
This SCP prevents users from creating resource shares that allow sharing with IAM users and roles that aren’t part of the organization.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"ram:RequestedAllowsExternalPrincipals": "true"
}
}
}
]
}23. Prevent sharing with organizations or organizational units (OUs).
This SCP prevents users from creating resource shares that share resources with an AWS Organization or OUs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"ram:Principal": [
"arn:aws:organizations::*:organization/*",
"arn:aws:organizations::*:ou/*"
]
}
}
}
]
}24. Allow sharing with only specified IAM users and roles.
This SCP allows users to share resources with only organization o-12345abcdef, organizational unit ou-98765fedcba, and account 111111111111.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:AssociateResourceShare",
"ram:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotEquals": {
"ram:Principal": [
"arn:aws:organizations::123456789012:organization/o-12345abcdef",
"arn:aws:organizations::123456789012:ou/o-12345abcdef/ou-98765fedcba",
"111111111111"
]
}
}
}
]
}25. Require a tag on specified created resources.
This SCP prevents IAM users and roles in the affected accounts from creating certain resource types if the request doesn’t include the specified tags.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCreateSecretWithNoProjectTag",
"Effect": "Deny",
"Action": "secretsmanager:CreateSecret",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
},
{
"Sid": "DenyRunInstanceWithNoProjectTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
},
{
"Sid": "DenyCreateSecretWithNoCostCenterTag",
"Effect": "Deny",
"Action": "secretsmanager:CreateSecret",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
},
{
"Sid": "DenyRunInstanceWithNoCostCenterTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
}
]
}26. Prevent tags from being modified except by authorized principals.
This shows how a policy can allow only authorized principals to modify the tags attached to your resources. This is an important part of using attribute-based access control (ABAC) as part of your AWS cloud security strategy. The policy allows a caller to modify the tags on only those resources where the authorization tag (in this example, access-project) exactly matches the same authorization tag attached to the user or role making the request. The policy also prevents the authorized user from changing the value of the tag that is used for authorization. The calling principal must have the authorization tag to make any changes at all.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ec2:ResourceTag/access-project": "${aws:PrincipalTag/access-project}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ec2:ResourceTag/access-project": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"access-project"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/access-project": true
}
}
}
]
}27. Prevent users from deleting Amazon VPC flow logs.
This SCP prevents users or roles in any affected account from deleting Amazon Elastic Compute Cloud (Amazon EC2) flow logs or CloudWatch log groups or logs streams.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:DeleteFlowLogs",
"logs:DeleteLogGroup",
"logs:DeleteLogStream"
],
"Resource": "*"
}
]
}28. Prevent any VPC that doesn’t already have internet access from getting it
This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn’t block existing direct access or any access that routes through your on-premises network environment.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:CreateVpcPeeringConnection",
"ec2:AcceptVpcPeeringConnection",
"globalaccelerator:Create*",
"globalaccelerator:Update*"
],
"Resource": "*"
}
]
}29. Prevent Users from Disabling AWS CloudTrail.
This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail"
],
"Resource": "*",
"Effect": "Deny"
}
]
}30. Protect VPC Connectivity Settings from Modification
This SCP restricts IAM principals in an AWS account from changing creating, updating, or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNatGateway",
"ec2:CreateInternetGateway",
"ec2:DeleteNatGateway",
"ec2:AttachInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway",
"ec2:CreateClientVpnRoute",
"ec2:AttachVpnGateway",
"ec2:DisassociateClientVpnTargetNetwork",
"ec2:DeleteClientVpnEndpoint",
"ec2:DeleteVpcPeeringConnection",
"ec2:AcceptVpcPeeringConnection",
"ec2:CreateNatGateway",
"ec2:ModifyClientVpnEndpoint",
"ec2:CreateVpnConnectionRoute",
"ec2:RevokeClientVpnIngress",
"ec2:RejectVpcPeeringConnection",
"ec2:DetachVpnGateway",
"ec2:DeleteVpnConnectionRoute",
"ec2:CreateClientVpnEndpoint",
"ec2:AuthorizeClientVpnIngress",
"ec2:DeleteVpnGateway",
"ec2:TerminateClientVpnConnections",
"ec2:DeleteClientVpnRoute",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:CreateVpnGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteVpnConnection",
"ec2:CreateVpcPeeringConnection",
"ec2:CreateVpnConnection"
],
"Resource": "*",
"Effect": "Deny"
},
{
"Action": [
"directconnect:CreatePrivateVirtualInterface",
"directconnect:DeleteBGPPeer",
"directconnect:DeleteLag",
"directconnect:AssociateHostedConnection",
"directconnect:CreateInterconnect",
"directconnect:CreatePublicVirtualInterface",
"directconnect:CreateLag",
"directconnect:CreateDirectConnectGateway",
"directconnect:AssociateVirtualInterface",
"directconnect:AllocateConnectionOnInterconnect",
"directconnect:AssociateConnectionWithLag",
"directconnect:AllocatePrivateVirtualInterface",
"directconnect:DeleteInterconnect",
"directconnect:AllocateHostedConnection",
"directconnect:DeleteDirectConnectGateway",
"directconnect:DeleteVirtualInterface",
"directconnect:DeleteDirectConnectGatewayAssociation",
"directconnect:CreateDirectConnectGatewayAssociation",
"directconnect:DeleteConnection",
"directconnect:CreateBGPPeer",
"directconnect:AllocatePublicVirtualInterface",
"directconnect:CreateConnection"
],
"Resource": "*",
"Effect": "Deny"
},
{
"Action": [
"globalaccelerator:DeleteListener",
"globalaccelerator:DeleteAccelerator",
"globalaccelerator:UpdateListener",
"globalaccelerator:UpdateAccelerator",
"globalaccelerator:CreateEndpointGroup",
"globalaccelerator:UpdateAcceleratorAttributes",
"globalaccelerator:UpdateEndpointGroup",
"globalaccelerator:CreateListener",
"globalaccelerator:CreateAccelerator",
"globalaccelerator:DeleteEndpointGroup"
],
"Resource": "*",
"Effect": "Deny"
}
]
}31. Protect VPC Internet and NAT Gateway Settings from any Modifications.
This SCP restricts IAM principals in an AWS account from changing creating, updating, or deleting Internet Gateways and NAT Gateways.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNatGateway",
"ec2:CreateInternetGateway",
"ec2:DeleteNatGateway",
"ec2:AttachInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway"
],
"Resource": "*",
"Effect": "Deny"
}
]
}32. Prevent Users from Creating Open Lambda URLs.
This SCP prevents users from creating open Lambda HTTP URLs that do not require authentication and enforces AWS_IAM authentication on all Lambda URLs.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:CreateFunctionUrlConfig",
"lambda:UpdateFunctionUrlConfig"
],
"Resource": "arn:aws:arn:aws:lambda:*:*:function/*",
"Effect": "Deny",
"Condition": {
"StringNotEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
}
]
}
33. Prevent Sharing Resources with External Principals outside the Organization.
This SCP prevents users or roles in any affected account from creating Resource Access Shares using RAM that is shared with external principals outside the organization
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"Bool": {
"ram:AllowsExternalPrincipals": "true"
}
}
}
]
}34. Prevent Users from Modifying Account and Billing Settings.
This SCP prevents users or roles in any affected account from modifying the account and billing settings, either directly as a command or through the console.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aws-portal:ModifyAccount",
"aws-portal:ModifyBilling",
"aws-portal:ModifyPaymentMethods"
],
"Resource": "*",
"Effect": "Deny"
}
]
}35. Prevent Users from Deleting Glacier Vaults or Archives.
This SCP prevents users or roles in any affected account from deleting any S3 Glacier vaults or archives.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"glacier:DeleteArchive",
"glacier:DeleteVault"
],
"Resource": "*",
"Effect": "Deny"
}
]
}36. Prevent Users from Accessing S3 Resources Outside an AWS Organization.
This SCP prevents users or roles in any affected account from accessing any S3 objects outside the specified AWS Organization.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotEquals": {
"aws:ResourceOrgID": ""
}
}
}
]
}37. Prevent Users from Deleting KMS Keys.
This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:ScheduleKeyDeletion",
"kms:Delete*"
],
"Resource": "*",
"Effect": "Deny"
}
]
}38. Prevent Users from Deleting S3 Buckets or Objects.
This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "*",
"Effect": "Deny"
}
]
}39. Prevent Users from Disabling AWS Security Hub in an account.
This SCP prevents users or roles in any affected account from disabling AWS Security Hub, deleting member accounts, or disassociating an account from a master Security Hub account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"securityhub:DeleteInvitations",
"securityhub:DisableSecurityHub",
"securityhub:DisassociateFromMasterAccount",
"securityhub:DeleteMembers",
"securityhub:DisassociateMembers"
],
"Resource": "*",
"Effect": "Deny"
}
]
}40. Deny all SCP.
If your account gets compromised it is recommended to deny all SCP to protect your data. This SCP is attached to a quarantine OU, which prohibits every action in the compromised account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Quarantine",
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}
]
}CONCLUSION :
AWS Service Control Policies are a powerful feature to limit your organization’s exposure to new, intentionally disallowed, or simply unfamiliar AWS Services and Resources at any organizational maturity level. You can configure the SCPs in your AWS Organization to work as either of the following:
- A deny list — actions are allowed by default, and you specify what services and actions are prohibited.
- An allow list — actions are prohibited by default, and you specify what services and actions are allowed.
