Restrict access using AWS Organizations service control policies
This topic presents examples that show how you can use service control policies (SCPs) in AWS Organizations to restrict what the users and roles in the accounts in your organization can do. For more information about service control policies, see the following topics in the AWS Organizations User Guide:
Example 1: Prevent accounts from modifying their own alternate contacts
The following example denies the PutAlternateContact
and
DeleteAlternateContact
API operations from being called by any member
account in standalone account
mode. This prevents any principal in the affected accounts from changing
their own alternate contacts.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "account:PutAlternateContact", "account:DeleteAlternateContact" ], "Resource": [ "arn:aws:account::*:account" ] } ] }
Example 2: Prevent any member account from modifying alternate contacts for any other member account in the organization
The following example generalizes the Resource
element to "*", which
means that it applies to both standalone mode requests and organizations mode requests. This means that
even the delegated admin account for Account Management, if the SCP applies to it, is blocked from
changing any alternate contact for any account in the organization.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "account:PutAlternateContact", "account:DeleteAlternateContact" ], "Resource": [ "*" ] } ] }
Example 3: Prevent a member account in an OU from modifying its own alternate contacts
The following example SCP includes a condition that compares the account's organization path to a list of two OUs. This results in blocking a principal in any account in the specified OUs from modifying their own alternate contacts.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": "account:PutAlternateContact", "Resource": [ "arn:aws:account::*:account" ], "Condition": { "ForAnyValue:StringLike": { "account:AccountResourceOrgPath": [ "o-aa111bb222/r-a1b2/ou-a1b2-f6g7h111/", "o-aa111bb222/r-a1b2/ou-a1b2-f6g7h222/" ] } } ] }