From 0478d0cf67729f77395dfc001642f854b6252f82 Mon Sep 17 00:00:00 2001
From: pcrum <paul.crum@gmail.com>
Date: Wed, 28 Aug 2019 11:45:59 -0400
Subject: [PATCH] Added an scp that allows creation of us buckets only

---
 README.md                 |  2 ++
 s3-us-only-buckets.policy | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 s3-us-only-buckets.policy

diff --git a/README.md b/README.md
index 4a00cc3..8638463 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,8 @@ A repository of community generated Service control policies (SCPs) and referenc
 
 - [prevent-deletion-of-service-resources](prevent-deletion-of-service-resources.policy) - Protect various organizational roles and resources curated for service and governance related purposes. 
 
+- [s3-us-only-buckets](s3-us-only-buckets.policy) - Allows creation of an S3 bucket only in the US EAST (us-east-1 or us-east-2) or WEST (us-west-1 or us-west-2) regions.
+
 ## Reference Links
 
 - [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html) - AWS Organizations - Service Control Policies Documentation
diff --git a/s3-us-only-buckets.policy b/s3-us-only-buckets.policy
new file mode 100644
index 0000000..2914f3f
--- /dev/null
+++ b/s3-us-only-buckets.policy
@@ -0,0 +1,23 @@
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "AllowOnlyUSBasedS3Buckets",
+			"Effect": "Deny",
+			"Action": [
+				"s3:CreateBucket"
+			],
+			"Resource": "arn:aws:s3:::*",
+			"Condition": {
+				"ForAnyValue:StringNotLike": {
+					"s3:LocationConstraint": [
+						"us-east-1",
+						"us-east-2",
+						"us-west-1",
+						"us-west-2"
+					]
+				}
+			}
+		}
+	]
+}
\ No newline at end of file