AWS Organizations Service Control Policies
Description
A repository of community generated Service control policies (SCPs) and reference links to ensure proper governance and access control guidelines across your entire organization. Please feel free to contribute or submit a pull request if you would like to improve an existing SCP or share additional ones.
Example Policies
-
us-regions-only - Deny actions unless performed in one of the US related regions
-
prevent-resourcesharing - Prevent account from creating or deleting resource shares within the organization
-
prevent-disabling-cloudtrail - Account cannot disable CloudTrail service
-
prevent-deletion-of-service-resources - Protect various organizational roles and resources curated for service and governance related purposes.
-
ec2-encrypt-ebs - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default Not setting up a default encryption will generate a difficult to understand error.
-
us-regions-only-group-exception - Sets limit to only be able to configure AWS resources in US regions for most users. It includes an example role that is allowed to opperate in any region.
Reference Links
-
Service Control Policies - AWS Organizations - Service Control Policies Documentation