Skip to content
Repository of community generated service control policies and reference links
Branch: master
Clone or download
sjeanes Merge pull request #3 from ericstraavaldsen/master
US Region limit with a role that can operate outside the region limit.
Latest commit 50b711b Oct 28, 2019

README.md

AWS Organizations Service Control Policies


Description

A repository of community generated Service control policies (SCPs) and reference links to ensure proper governance and access control guidelines across your entire organization. Please feel free to contribute or submit a pull request if you would like to improve an existing SCP or share additional ones.

Example Policies

  • us-regions-only - Deny actions unless performed in one of the US related regions

  • prevent-resourcesharing - Prevent account from creating or deleting resource shares within the organization

  • prevent-disabling-cloudtrail - Account cannot disable CloudTrail service

  • prevent-deletion-of-service-resources - Protect various organizational roles and resources curated for service and governance related purposes.

  • ec2-encrypt-ebs - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default Not setting up a default encryption will generate a difficult to understand error.

  • us-regions-only-group-exception - Sets limit to only be able to configure AWS resources in US regions for most users. It includes an example role that is allowed to opperate in any region.

  • s3-us-only-buckets - Allows creation of an S3 bucket only in the US EAST (us-east-1 or us-east-2) or WEST (us-west-1 or us-west-2) regions.

Reference Links

You can’t perform that action at this time.