# AWS SCP Policies

### Setting SCP policies

> Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
>
> — [AWS documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)

For more fine-grained control, you can also set SCP policies. The following example disallows EC2 instance types except **t2.large.**

{% tabs %}
{% tab title="🌐 Web UI" %}
Update your AWS account by entering the following in the **SCP policy** field:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireLessThanXLInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t2.large"
          ]
        }
      }
    }
  ]
}
```

{% endtab %}

{% tab title="💻 Instruqt CLI" %}
Edit your `config.yml` file to include this content:

```json
aws_accounts:
- name: awsaccount
  scp_policy: |-
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "RequireLessThanXLInstanceType",
          "Effect": "Deny",
          "Action": "ec2:RunInstances",
          "Resource": "arn:aws:ec2:::instance/*",
          "Condition": {
            "StringNotEquals": {
              "ec2:InstanceType": [
                "t2.large"
              ]
            }
          }
        }
      ]
    }
```

{% endtab %}
{% endtabs %}

{% hint style="info" %}
See [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) on the AWS docs site for more information.
{% endhint %}

#### Example SCP policies:

*Limiting the instance types that can be used in EC2*

To limit the allowed instance types, both the `ec2.RunInstances` as the `ec2.ModifyInstanceAttributes` actions need to be specified. The example below limits instance types to `t2.micro` only.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LimitInstanceTypeRun",
      "Action": [
        "ec2:RunInstances"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "ec2:InstanceType": [
            "t2.micro"
          ]
        }
      }
    },
    {
      "Sid": "LimitInstanceTypeModify",
      "Action": [
        "ec2:ModifyInstanceAttribute"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "ForAnyValue:StringNotEquals": {
          "ec2:Attribute/InstanceType": [
            "t2.micro"
          ]
        }
      }
    }
  ]
}
```