> For the complete documentation index, see [llms.txt](https://docs.instruqt.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts/aws-scp-policies.md). # AWS SCP Policies ### Setting SCP policies > Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. > > — [AWS documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) For more fine-grained control, you can also set SCP policies. The following example disallows EC2 instance types except **t2.large.** {% tabs %} {% tab title="🌐 Web UI" %} Update your AWS account by entering the following in the **SCP policy** field: ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "RequireLessThanXLInstanceType", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEquals": { "ec2:InstanceType": [ "t2.large" ] } } } ] } ``` {% endtab %} {% tab title="💻 Instruqt CLI" %} Edit your `config.yml` file to include this content: ```json aws_accounts: - name: awsaccount scp_policy: |- { "Version": "2012-10-17", "Statement": [ { "Sid": "RequireLessThanXLInstanceType", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:::instance/*", "Condition": { "StringNotEquals": { "ec2:InstanceType": [ "t2.large" ] } } } ] } ``` {% endtab %} {% endtabs %} {% hint style="info" %} See [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) on the AWS docs site for more information. {% endhint %} #### Example SCP policies: *Limiting the instance types that can be used in EC2* To limit the allowed instance types, both the `ec2.RunInstances` as the `ec2.ModifyInstanceAttributes` actions need to be specified. The example below limits instance types to `t2.micro` only. ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "LimitInstanceTypeRun", "Action": [ "ec2:RunInstances" ], "Effect": "Deny", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEqualsIfExists": { "ec2:InstanceType": [ "t2.micro" ] } } }, { "Sid": "LimitInstanceTypeModify", "Action": [ "ec2:ModifyInstanceAttribute" ], "Effect": "Deny", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "ForAnyValue:StringNotEquals": { "ec2:Attribute/InstanceType": [ "t2.micro" ] } } } ] } ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts/aws-scp-policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.