A configuration package to deploy common Service Control Policies (SCPs) in the master account of an AWS Organization. The SCPs are grouped for different security domains and services:

  • Account-level security – SCPs to restrict access based on AWS region, restrict root access and prevent users from leaving the Organization or modifying billing settings
  • Logging services protection – SCPs to prevent users from disabling logging and security services such as CloudTrail, Config, Config Rules, VPC Flow Logs, GuardDuty, Security Hub, Access Analyzer, and Macie
  • Network settings protection – SCPs to prevent modifying internet access or other network settings in VPCs
  • IAM settings protection – SCPs to prevent users from creating new IAM Users or Access Keys or modifying specific IAM Roles
  • S3 resources protection – SCPs to protect S3 Block Public Access settings, protect S3 buckets and Glacier Archives, and enforce S3 encryption
  • EC2 resources protection – SCPs to restrict EC2 instance types and to require MFA to stop EC2 instances
  • Other – SCPs to protect KMS Keys, CloudWatch Alarms/Dashboards, and prevent RAM sharing with external principals

See full SCP Repository to browse individual SCP policies.

Premium: Get a security assessment for your AWS Organization and Accounts

A premium subscription is required for this content
You can browse all Service Control Policies in our repository for free! Go to Library

Items
4
Size
2.3 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ScpPolicy1:
    Type: 'AWS::Organizations::Policy'
    Properties:
      Name: scp_account_protection
      Content: '{"Version":"2012-10-17","Statement":[{"Action":"*","Resource":"*","Effect":"Deny","Condition":{"StringLike":{"aws:PrincipalArn":["arn:aws:iam::*:root"]}}},{"Action":["organizations:LeaveOrganization"],"Resource":"*","Effect":"Deny"},{"Action":["aws-portal:ModifyAccount","aws-portal:ModifyBilling","aws-portal:ModifyPaymentMethods"],"Resource":"*","Effect":"Deny"}]}'
      Type: SERVICE_CONTROL_POLICY
      Description: scp_account_protection
  ScpPolicy2:
    Type: 'AWS::Organizations::Policy'
    Properties:
      Name: scp_logging_services_protection
      Content: '{"Version":"2012-10-17","Statement":[{"Action":["cloudtrail:StopLogging","cloudtrail:DeleteTrail"],"Resource":"*","Effect":"Deny"},{"Action":["config:DeleteConfigRule","config:DeleteConfigurationRecorder","config:DeleteDeliveryChannel","config:StopConfigurationRecorder"],"Resource":"*","Effect":"Deny"},{"Action":["guardduty:DeleteDetector","guardduty:DeleteInvitations","guardduty:DeleteIPSet","guardduty:DeleteMembers","guardduty:DeleteThreatIntelSet","guardduty:DisassociateFromMasterAccount","guardduty:DisassociateMembers","guardduty:StopMonitoringMembers","guardduty:UpdateDetector"],"Resource":"*","Effect":"Deny"},{"Action":["securityhub:DeleteInvitations","securityhub:DisableSecurityHub","securityhub:DisassociateFromMasterAccount","securityhub:DeleteMembers","securityhub:DisassociateMembers"],"Resource":"*","Effect":"Deny"}]}'
      Type: SERVICE_CONTROL_POLICY
      Description: scp_logging_services_protection
  ScpPolicy3:
    Type: 'AWS::Organizations::Policy'
    Properties:
      Name: scp_iam_protection
      Content: '{"Version":"2012-10-17","Statement":[{"Action":["iam:CreateUser","iam:CreateAccessKey"],"Resource":["*"],"Effect":"Deny"}]}'
      Type: SERVICE_CONTROL_POLICY
      Description: scp_iam_protection
  ScpPolicy4:
    Type: 'AWS::Organizations::Policy'
    Properties:
      Name: scp_s3_protection
      Content: '{"Version":"2012-10-17","Statement":[{"Action":["s3:PutAccountPublicAccessBlock"],"Resource":"*","Effect":"Deny"}]}'
      Type: SERVICE_CONTROL_POLICY
      Description: scp_s3_protection
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT