AWS Organizations Service Control Policies
Description
A repository of community generated Service control policies (SCPs) and reference links to ensure proper governance and access control guidelines across your entire organization. Please feel free to contribute or submit a pull request if you would like to improve an existing SCP or share additional ones.
Example Policies
-
us-regions-only - Deny actions unless performed in one of the US related regions
-
prevent-resourcesharing - Prevent account from creating or deleting resource shares within the organization
-
prevent-disabling-cloudtrail - Account cannot disable CloudTrail service
-
prevent-deletion-of-service-resources - Protect various organizational roles and resources curated for service and governance related purposes.
-
ec2-encrypt-ebs - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default Not setting up a default encryption will generate a difficult to understand error.
-
us-regions-only-group-exception - Sets limit to only be able to configure AWS resources in US regions for most users. It includes an example role that is allowed to opperate in any region.
-
s3-us-only-buckets - Allows creation of an S3 bucket only in the US EAST (us-east-1 or us-east-2) or WEST (us-west-1 or us-west-2) regions.
-
control-tower-regions-only - Allows actions in only the regions used in AWS Control Tower. A US regions only policy will break some aspects of Control Tower as it requires access to all the regions it is available in. You can further constrain user actions with a separate SCP that only gives access to a subset of the Control Tower regions to a particular group.
Reference Links
-
Service Control Policies - AWS Organizations - Service Control Policies Documentation