Search code examples
amazon-web-servicesamazon-iamamazon-policy

Deny creation of new resources via Service Control Policy

Is it possible to create such a SCP (Service Control Policy) and attach it to account which denies any new resources (infrastructure) launching within this account? Assuming that the account is part of AWS Organizations.

The question arises from the following confusions:

  • can SCP restrict specific actions like launching infrastructure?
  • can SCP be applied on the account level (not to the organizational one!)?
Solution

  • Yes, it is possible to do.

    1. SCP can contain explicit deny rules, for example deny creation of any EC2-related instances and resources:

          "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Action": [
                "ec2:Create*"
            ],
            "Resource": "*"
        }
    ]
}

    2. Any SCP can be attached to:

      • Accounts
      • Organizational units
      • Root account