diff --git a/README.md b/README.md index 5264858..d3e2d22 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,8 @@ A repository of community generated Service control policies (SCPs) and referenc - [s3-us-only-buckets](s3-us-only-buckets.policy) - Allows creation of an S3 bucket only in the US EAST (us-east-1 or us-east-2) or WEST (us-west-1 or us-west-2) regions. +- [control-tower-regions-only](control-tower-regions-only.policy) - Allows actions in only the regions used in AWS Control Tower. A US regions only policy will break some aspects of Control Tower as it requires access to all the regions it is available in. You can further constrain user actions with a separate SCP that only gives access to a subset of the Control Tower regions to a particular group. + ## Reference Links - [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html) - AWS Organizations - Service Control Policies Documentation diff --git a/control-tower-regions-only.policy b/control-tower-regions-only.policy new file mode 100644 index 0000000..4d7fbb0 --- /dev/null +++ b/control-tower-regions-only.policy @@ -0,0 +1,33 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "NotAction": [ + "iam:*", + "organizations:*", + "route53:*", + "budgets:*", + "waf:*", + "cloudfront:*", + "globalaccelerator:*", + "importexport:*", + "support:*", + "health:*", + "route53domains:*" + ], + "Resource": "*", + "Effect": "Deny", + "Condition": { + "StringNotEquals": { + "aws:RequestedRegion": [ + "us-east-1", + "us-east-2", + "us-west-2", + "eu-west-1", + "ap-southeast-2" + ] + } + } + } + ] +} \ No newline at end of file