AWS SCP Policies

Setting SCP policies

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.

AWS documentation

For more fine-grained control, you can also set SCP policies. The following example disallows EC2 instance types except t2.large.

Update your AWS account by entering the following in the SCP policy field:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireLessThanXLInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t2.large"
          ]
        }
      }
    }
  ]
}

See Service control policies on the AWS docs site for more information.

Example SCP policies:

Limiting the instance types that can be used in EC2

To limit the allowed instance types, both the ec2.RunInstances as the ec2.ModifyInstanceAttributes actions need to be specified. The example below limits instance types to t2.micro only.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LimitInstanceTypeRun",
      "Action": [
        "ec2:RunInstances"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "ec2:InstanceType": [
            "t2.micro"
          ]
        }
      }
    },
    {
      "Sid": "LimitInstanceTypeModify",
      "Action": [
        "ec2:ModifyInstanceAttribute"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "ForAnyValue:StringNotEquals": {
          "ec2:Attribute/InstanceType": [
            "t2.micro"
          ]
        }
      }
    }
  ]
}

Last updated

Was this helpful?