Added an scp that allows creation of us buckets only

cloud · Aug 29, 2019 · b2de5cb · b2de5cb
1 parent 77af301
commit b2de5cb
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# AWS Organizations Service Control Policies
+# AWS Organizations Service Control Policies
 ---
 
 ## Description
@@ -17,6 +17,8 @@ A repository of community generated Service control policies (SCPs) and referenc
 
 - [ec2-encrypt-ebs](ec2-encrypt-ebs.policy) - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default    Not setting up a default encryption will generate a difficult to understand error.
 
+- [s3-us-only-buckets](s3-us-only-buckets.policy) - Allows creation of an S3 bucket only in the US EAST (us-east-1 or us-east-2) or WEST (us-west-1 or us-west-2) regions.
+
 ## Reference Links
 
 - [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html) - AWS Organizations - Service Control Policies Documentation

diff --git a/s3-us-only-buckets.policy b/s3-us-only-buckets.policy
@@ -0,0 +1,23 @@
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "AllowOnlyUSBasedS3Buckets",
+			"Effect": "Deny",
+			"Action": [
+				"s3:CreateBucket"
+			],
+			"Resource": "arn:aws:s3:::*",
+			"Condition": {
+				"ForAnyValue:StringNotLike": {
+					"s3:LocationConstraint": [
+						"us-east-1",
+						"us-east-2",
+						"us-west-1",
+						"us-west-2"
+					]
+				}
+			}
+		}
+	]
+}