AWS Organizations
User Guide

Example Service Control Policies

The example service control policies (SCPs) displayed in this topic are for information purposes only.

Before Using These Examples

Before you attempt to use these example SCPs in your organization, do the following:

  • Carefully review and customize them for your unique requirements.

  • Test your policies before using them in a production capacity. Remember that an SCP affects every user and role and even the root user in every account that it's attached to.

Tip

You can use service last accessed data in IAM to update your SCPs to restrict access to only the AWS services that you need. For more information, see Viewing Organizations Service Last Accessed Data for Organizations in the IAM User Guide.

Each of the following policies is an example of a blacklist policy strategy. Blacklist policies must be attached along with other policies that allow the approved actions in the affected accounts. For example, the default FullAWSAccess policy permits the use of all services in an account. This policy is attached by default to the root, all organizational units (OUs), and all accounts. It doesn't actually grant the permissions; no SCP does. Instead, it enables administrators in that account to delegate access to those actions by attaching standard IAM permission policies to users, roles, or groups in the account. Each of these blacklist policies then overrides any policy by blocking access to the specified services or actions.

Example 1: Prevent Users from Disabling AWS CloudTrail

This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloudtrail:StopLogging", "Resource": "*" } ] }

Example 2: Prevent Users from Disabling Amazon CloudWatch or Altering Its Configuration

A lower-level CloudWatch operator needs to monitor dashboards and alarms, but must not be able to delete or change any dashboard or alarm that senior people might put into place. This SCP prevents users or roles in any affected account from running any of the CloudWatch commands that could delete or change your dashboards or alarms.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:DeleteDashboards", "cloudwatch:DisableAlarmActions", "cloudwatch:PutDashboard", "cloudwatch:PutMetricAlarm", "cloudwatch:SetAlarmState" ], "Resource": "*" } ] }

Example 3: Prevent Users from Deleting Amazon VPC Flow Logs

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" } ] }

Example 4: Prevent Users from Disabling AWS Config or Changing Its Rules

This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "config:DeleteConfigRule", "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:StopConfigurationRecorder" ], "Resource": "*" } ] }

Example 5: Prevent Any VPC That Doesn't Already Have Internet Access from Getting It

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:AttachEgressOnlyInternetGateway", "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection" ], "Resource": "*" } ] }

Example 6: Denies Access to AWS Based on the Requested Region

This SCP denies access to any operations outside of the eu-central-1 and eu-west-1 Regions, except for actions in the listed services. To use this SCP, replace the red italicized text in the example policy with your own information.

This policy uses the NotAction element with the Deny effect to deny access to all of the actions not listed in the statement. The listed services are examples of AWS global services with a single endpoint that is physically located in the us-east-1 Region. Requests made to services in the us-east-1 Region aren't denied if they're included in the NotAction element. Any other requests to services in the us-east-1 Region are denied.

Notes

  • Not all AWS global services are shown in this example policy. Replace the list of services in red italicized text with the global services used by accounts in your organization.

  • This example policy blocks access to the AWS Security Token Service global endpoint (sts.amazonaws.com). To use AWS STS with this policy, use regional endpoints or add "sts:*" to the NotAction element. For more information on AWS STS endpoints, see Activating and Deactivating AWS STS in an AWS Region in the IAM User Guide.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideEU", "Effect": "Deny", "NotAction": [ "iam:*", "organizations:*", "route53:*", "budgets:*", "waf:*", "cloudfront:*", "globalaccelerator:*", "importexport:*", "support:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-central-1", "eu-west-1" ] } } } ] }

Example 7: Prevent IAM Principals from Making Certain Changes

This SCP restricts IAM principals in accounts from making changes to a common administrative IAM role created in all accounts in your organization.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessToASpecificRole", "Effect": "Deny", "Action": [ "iam:AttachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": [ "arn:aws:iam::*:role/role-to-deny" ] } ] }

Example 8: Prevent IAM Principals from Making Certain Changes, with Exceptions for Admins

This SCP builds on the previous example to make an exception for administrators. It prevents IAM principals in accounts from making changes to a common administrative IAM role created in all accounts in your organization except for administrators using a specified role.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessWithException", "Effect": "Deny", "Action": [ "iam:AttachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": [ "arn:aws:iam::*:role/role-to-deny" ], "Condition": { "StringNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/role-to-allow" } } } ] }

Example 9: Require Encryption on Amazon S3 Buckets

This SCP requires that principals use AES256 encryption when writing to Amazon S3 buckets.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } }, { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "*", "Condition": { "Null": { "s3:x-amz-server-side-encryption": true } } } ] }

Example 10: Require Amazon EC2 Instances to Use a Specific Type

With this SCP, any instance launches not using the t2.micro instance type are denied.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireMicroInstanceType", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEquals":{ "ec2:InstanceType":"t2.micro" } } } ] }

Example 11: Require MFA to Stop an Amazon EC2 Instance

Use an SCP like the following to require that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyStopAndTerminateWhenMFAIsNotPresent", "Effect": "Deny", "Action": [ "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}} } ] }

Example 12: Restrict Access to Amazon EC2 for Root User

The following policy restricts all access to Amazon EC2 actions for the root user in an account. If you want to prevent your accounts from using root credentials in specific ways, add your own actions to this policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictEC2ForRoot", "Effect": "Deny", "Action": [ "ec2:*" ], "Resource": [ "*" ], "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:root" ] } } } ] }