You must be logged in to view saved presets
Service Control Policies
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts.
AWS
Whitelist Access to AWS Based on the Requested Region
This SCP denies access to any operations outside of the specified AWS Region, except for actions in the listed services (These are global services that cannot be whitelisted based on region).
Restrict Region Enable/Disable Actions to a Privileged Role
This SCP restricts IAM principals in accounts from enabling/disabling AWS regions except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization)
VPC
Prevent Any VPC That Doesn't Already Have Internet Access from Getting It
This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.
Protect VPC Connectivity Settings from Modification
This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.
Protect VPC Internet and NAT Gateway Settings from any Modifications
This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.
Prevent Users from Deleting Amazon VPC Flow Logs
This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.
Restrict VPC CIDR to Specific IP Pools from Amazon VPC IPAM (IP Address Manager)
This SCP restrict users in your AWS Organizations account to creating VPCs with CIDRs from a specific IPv4 pool and associating CIDRs to the VPCs from the pool. Users in the account will not be able to create VPCs with CIDRs or associate CIDRs to VPCs from any other pools from the one you choose.
Prevent Users from Creating Default VPC and Subnet
This SCP prevents users or roles in any affected account from creating a default VPC or Subnets
S3
Prevent Users from Deleting S3 Buckets or Objects
This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.
Prevent Users Accessing S3 Reources Outside an AWS Organization
This SCP prevents users or roles in any affected account from accessing any S3 objects outside the specified AWS Organization
Require Encryption on All Amazon S3 Buckets in an AWS Account
This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account
Prevent Users from Modifying S3 Block Public Access Settings
This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.
Prevent Users from Deleting Glacier Vaults or Archives
This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.
Deny ACL Disablement for All New S3 Buckets
This SCP restricts IAM principals in accounts from creating new S3 buckets without ACLs disabled (bucket owner enforced)
IAM
Restrict the Use of the Root User in an AWS Account
This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console.
Prevent Creation of New IAM Users or Access Keys
This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account.
Prevent Creation of New IAM Users or Access Keys with an Exception for an Administrator Role
This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account with an exception for a specified Administrator IAM role.
Prevent Modification of IAM Password Policy with an Exception for an Administrator Role
This SCP restricts IAM principals from modifying existing IAM password policies in an AWS account with an exception for a specified Administrator IAM role.
Prevent IAM Changes to a Specified IAM Role
This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).
Prevent IAM Changes to a Specified IAM Role with the Exception of that Role
This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization).
Prevent Users from Disabling AWS Access Analyzer in an account
This SCP prevents users or roles in any affected account from deleting AWS Access Analyzer in an AWS account.
EC2
Require Amazon EC2 Instances to Use a Specific Type
This SCP prevents the launch of any EC2 instance type that is not whitelisted by the policy (default: t3.micro).
Require MFA to Stop an Amazon EC2 Instance
This SCP requires that multi-factor authentication (MFA) is enabled before a principal or root user can stop an Amazon EC2 instance.
Prevent Users from Disabling EBS Default Encryption
This SCP prevents users or roles in any affected account from disabling ebs default encryption
Lambda
Prevent Users from Creating Open Lambda URLs
This SCP prevents users from creating open Lambda HTTP URLs that do not required authentication and enforces AWS_IAM authentication on all Lambda URLs
Prevent Modifications to Specific Lambda Functions
This SCP restricts IAM principals in accounts from making changes to specific Lambda Functions with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)
© 2024 asecurecloud. All rights reserved.