Skip to content
Repository of community generated service control policies and reference links
Branch: master
Clone or download
sjeanes Merge pull request #4 from cloud/control-tower-scp-update
Add Control Tower regions only SCP. Update README.
Latest commit c8ce3a4 Apr 17, 2020

AWS Organizations Service Control Policies


A repository of community generated Service control policies (SCPs) and reference links to ensure proper governance and access control guidelines across your entire organization. Please feel free to contribute or submit a pull request if you would like to improve an existing SCP or share additional ones.

Example Policies

  • us-regions-only - Deny actions unless performed in one of the US related regions

  • prevent-resourcesharing - Prevent account from creating or deleting resource shares within the organization

  • prevent-disabling-cloudtrail - Account cannot disable CloudTrail service

  • prevent-deletion-of-service-resources - Protect various organizational roles and resources curated for service and governance related purposes.

  • ec2-encrypt-ebs - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default Not setting up a default encryption will generate a difficult to understand error.

  • us-regions-only-group-exception - Sets limit to only be able to configure AWS resources in US regions for most users. It includes an example role that is allowed to opperate in any region.

  • s3-us-only-buckets - Allows creation of an S3 bucket only in the US EAST (us-east-1 or us-east-2) or WEST (us-west-1 or us-west-2) regions.

  • control-tower-regions-only - Allows actions in only the regions used in AWS Control Tower. A US regions only policy will break some aspects of Control Tower as it requires access to all the regions it is available in. You can further constrain user actions with a separate SCP that only gives access to a subset of the Control Tower regions to a particular group.

Reference Links

You can’t perform that action at this time.