Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Set up a configuration package for SCPs or RCPs

Focus mode
Set up a configuration package for SCPs or RCPs - AWS Control Tower

This section explains how to create a configuration package for service control policies (SCPs) or resource control policies (RCPs). The two main parts of this process are (1) prepare the CfCT manifest file, and (2) prepare your folder structure.

Step 1: Edit the manifest.yaml file

Use the sample manifest.yaml file as your starting point. Enter all necessary configurations. Add the resource_file and deployment_targets details.

The following snippet shows the default manifest file.

--- region: us-east-1 version: 2021-03-15 resources: []

The value for region is added automatically during deployment. It must match the Region where you deployed CfCT. This Region must be the same as the AWS Control Tower region.

To add a custom SCP or RCP in the example-configuration folder in the zip package stored in the Amazon S3 bucket, open the example-manifest.yaml file and begin editing.

--- region: your-home-region version: 2021-03-15 resources: - name: test-preventive-controls description: To prevent from deleting or disabling resources in member accounts resource_file: policies/preventive-controls.json deploy_method: scp | rcp #Apply to the following OU(s) deployment_targets: organizational_units: #array of strings - OUName1 - OUName2 …truncated…

The following snippet shows an example of a customized manifest file. You can add more than one policy in a single change.

--- region: us-east-1 version: 2021-03-15 resources: - name: block-s3-public-access description: To S3 buckets to have public access resource_file: policies/block-s3-public.json deploy_method: scp | rcp #Apply to the following OU(s) deployment_targets: organizational_units: #array of strings - OUName1 - OUName2

Step 2: Create a folder structure

You can skip this step if you are using an Amazon S3 URL for the resource file and using parameters with key/value pairs.

You must include an SCP policy or RCP policy in JSON format to support the manifest, because the manifest file references the JSON file. Ensure that the file paths match the path information provided in the manifest file.

  • A policy JSON file contains the SCPs or RCPs to be deployed to OUs.

The following snippet shows the folder structure for the sample manifest file.

- manifest.yaml - policies/ - block-s3-public.json

The following snippet is an example of a block-s3-public.json policy file.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"GuardPutAccountPublicAccessBlock", "Effect":"Deny", "Action":"s3:PutAccountPublicAccessBlock", "Resource":"arn:aws:s3:::*" } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.