# AWS SCP Policies

### Setting SCP policies

> Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
>
> — [AWS documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)

For more fine-grained control, you can also set SCP policies. The following example disallows EC2 instance types except **t2.large.**

{% tabs %}
{% tab title="🌐 Web UI" %}
Update your AWS account by entering the following in the **SCP policy** field:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireLessThanXLInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t2.large"
          ]
        }
      }
    }
  ]
}
```

{% endtab %}

{% tab title="💻 Instruqt CLI" %}
Edit your `config.yml` file to include this content:

```json
aws_accounts:
- name: awsaccount
  scp_policy: |-
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "RequireLessThanXLInstanceType",
          "Effect": "Deny",
          "Action": "ec2:RunInstances",
          "Resource": "arn:aws:ec2:::instance/*",
          "Condition": {
            "StringNotEquals": {
              "ec2:InstanceType": [
                "t2.large"
              ]
            }
          }
        }
      ]
    }
```

{% endtab %}
{% endtabs %}

{% hint style="info" %}
See [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) on the AWS docs site for more information.
{% endhint %}

#### Example SCP policies:

*Limiting the instance types that can be used in EC2*

To limit the allowed instance types, both the `ec2.RunInstances` as the `ec2.ModifyInstanceAttributes` actions need to be specified. The example below limits instance types to `t2.micro` only.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LimitInstanceTypeRun",
      "Action": [
        "ec2:RunInstances"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "ec2:InstanceType": [
            "t2.micro"
          ]
        }
      }
    },
    {
      "Sid": "LimitInstanceTypeModify",
      "Action": [
        "ec2:ModifyInstanceAttribute"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "ForAnyValue:StringNotEquals": {
          "ec2:Attribute/InstanceType": [
            "t2.micro"
          ]
        }
      }
    }
  ]
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts/aws-scp-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.