Other SCP resources

• Other SCP resources
  • AWS
    • Data Perimiter GuardRails
    • Deny Changes to Security Services
    • Priviledged Access Controls
    • Protect Cloud Platform Resource
    • Region Controls
    • Sensitive Data Protection
    • SCP Examples
    • SCP Root OU
    • SCP Sandbox OU
    • SCP Workload OU
    • Infrastructure OU
    • Multi OUs
    • Production OU
  • Tools OU
  • Salesforce - Compliance Framework Based SCPs 2022
  • FortuneCookieZen 2019
  • ScaleSec 2021
    • Compliance SCP
      • DoDCcSrgll2Ew
      • dodCcSrgIl2Gc
      • dodCcSrgIl4Gc
      • dodCcSrgIl5Gc
      • Fed Ramp High
      • Fed Ramp Mod
      • HIPAA
      • ISO
      • PCI
      • SOC
    • Security Controls
  • CloudPosse 2022
    • EC2 Templates
    • Region Restriction Templates
    • S3 Templates
    • Policies YAML
  • RWickit
    • Organization
    • Service
  • CloudSecDocs.com
  • defensive-works
  • primeharbor
    • Governance
    • Security
  • Grolston 2021
  • Welldone Cloud - AWS SCPs for Sandbox and Training Accounts
  • Tools
  • Blogs

AWS

• https://github.com/aws-samples/service-control-policy-examples 2024
• https://github.com/aws-samples/aws-scps-with-terraform/tree/main/policies 2023
• https://github.com/aws-samples/scp-management-reference-architecture/tree/main 2024
• https://github.com/aws-samples/scp-analyzer/tree/main 2024 python tool to analyze existing scps
• https://github.com/aws-samples/automating-scp-exemptions-in-multi-account-environments-with-terraform/tree/main File size optimizations 2023
• SCP when it does not yet exist in partition China https://github.com/aws-samples/scp-alternative-solution/tree/main 2022
• https://github.com/aws-samples/aws-service-control-policies-deployment/tree/main/repos-for-code-commit/policies/scp/production Archived 2024 done in 2021

Data Perimiter GuardRails

• https://github.com/aws-samples/service-control-policy-examples/blob/main/Data-perimeter-guardrails/Data-perimeter-guardrails.md

Deny Changes to Security Services

• https://github.com/aws-samples/service-control-policy-examples/blob/main/Deny-changes-to-security-services/Deny-Permission-sets-for-Identity-Center.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Deny-changes-to-security-services/Deny-deletion-of-AWS-Access-Analyzer-and-findings-in-an-account.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Deny-changes-to-security-services/Deny-deletion-or-disassociation-or-updation-to-AWS-SecurityHub.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Deny-changes-to-security-services/Deny-enabling-and-disabling-AWS-Config.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Deny-changes-to-security-services/Deny-modifications-to-specific-CloudTrail-trails.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Deny-changes-to-security-services/Deny-users-from-disabling-or-altering-CloudWatch.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Deny-changes-to-security-services/Protect-disabling-or-deleting-Amazon-Macie.json

Priviledged Access Controls

• https://github.com/aws-samples/service-control-policy-examples/blob/main/Privileged-access-controls/Deny-Amazon-Virtual-Private-Network(VPN)-connection-creation-modification-deletion.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Privileged-access-controls/Deny-billing-modification-action.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Privileged-access-controls/Deny-creation-of-access-keys-for-the-root-user.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Privileged-access-controls/Deny-critical-IAM-user-actions.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Privileged-access-controls/Deny-modifications-to-specific-IAM-roles.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Privileged-access-controls/Deny-the-root-user-from-performing-actions-except-S3-bucketpolicy-changes.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Privileged-access-controls/Deny-unwarranted-IAM-federations-creation-modification.json

Protect Cloud Platform Resource

• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-CloudHSM-deletion.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-KMS-key-deletion.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-creation-of-default-VPC-and-subnet.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-deletion-of-specific-CloudWatch-Log-groups-and-streams.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-disabling-default-EBS-encryption.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-key-actions-on-Route53-DNS-hosted-zones.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-modifications-to-specific-AWS-CloudFormation-resources.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-modifications-to-specific-Amazon-Lambda-functions.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-modifications-to-specific-SNS-topics.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Deny-unwanted-cancellation-or-changes-to-AWS-Marketplace-product-subscription.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Prevent-IMDSv1.json Warning this will affect currently running resources there are too many things that include RoleDelivery as it's global key
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Protect-cloud-platform-resource.md
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Protect-cloud-platform-resource/Restrict-deletion-and-modification-of-privileged-policies.json

Region Controls

• https://github.com/aws-samples/service-control-policy-examples/blob/main/Region-controls/Deny-account-region-enable-and-disable-actions.json

Sensitive Data Protection

• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-AWS-Backup-deletion-and-changes-to-configuration.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-RAM-from-sharing-resources-to-external-accounts.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-modification-to-Lambda-URL-Config.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-modification-to-SSM-service-settings.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-users-from-deleting-Amazon-Glacier-vaults-or-archives.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-users-from-deleting-Amazon-S3-Buckets-or-objects.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-users-from-disabling-block-public-access-on-AMIs.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-users-from-modifying-S3-Block-Public-Access-Bucket-level.json
• https://github.com/aws-samples/service-control-policy-examples/blob/main/Sensitive-data-protection/Deny-users-from-modifying-S3-Block-Public-Access.json

SCP Examples

• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/allow_services.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/deny_C5large_non-prod.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/deny_IMDSv1.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/deny_bucket_access.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/deny_default_vpc.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/deny_externals.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/deny_kms_deletion.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/deny_role_assume.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/force_EC2_encrypt.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/force_s3_encrypted_upload.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/force_sagemaker_vpc.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_billing.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_bpa.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_bucket.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_cloudtrail.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_config.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_cw_logs.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_lambda.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_role.json
• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_examples/protect_sns_topic.json

SCP Root OU

• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_root/root_policy.json
• https://github.com/aws-samples/scp-management-reference-architecture/blob/main/service_control_policies/Root/Account_Baseline_Root.json.tpl
• https://github.com/aws-samples/scp-management-reference-architecture/blob/main/service_control_policies/Root/Data_Baseline_Root.json.tpl
• https://github.com/aws-samples/scp-management-reference-architecture/blob/main/service_control_policies/Root/Infrastructure_Baseline_Root.json.tpl
• https://github.com/aws-samples/scp-management-reference-architecture/blob/main/service_control_policies/Root/Security_Baseline_Root.json.tpl

SCP Sandbox OU

• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_sandbox/sandbox.json
• https://github.com/aws-samples/aws-service-control-policies-deployment/blob/main/repos-for-code-commit/policies/scp/sandbox/allowed.json
• https://github.com/aws-samples/aws-service-control-policies-deployment/blob/main/repos-for-code-commit/policies/scp/sandbox/restricted.json

SCP Workload OU

• https://github.com/aws-samples/aws-scps-with-terraform/blob/main/policies/scp_workload/protect_guardduty.json

Infrastructure OU

• https://github.com/aws-samples/scp-management-reference-architecture/blob/main/service_control_policies/InfrastructureOU/Infrastructure_Baseline_InfrastructureOU.json.tpl

Multi OUs

• https://github.com/aws-samples/scp-management-reference-architecture/blob/main/service_control_policies/MultiOUs/Account_Baseline_AllowedServices.json.tpl
• https://github.com/aws-samples/scp-management-reference-architecture/blob/main/service_control_policies/MultiOUs/Infrastructure_Baseline_VPCBoundaries.json.tpl

Production OU

• https://github.com/aws-samples/aws-service-control-policies-deployment/blob/main/repos-for-code-commit/policies/scp/production/allowed.json
• https://github.com/aws-samples/aws-service-control-policies-deployment/blob/main/repos-for-code-commit/policies/scp/production/restricted.json

Tools OU

• https://github.com/aws-samples/aws-service-control-policies-deployment/blob/main/repos-for-code-commit/policies/scp/tools/allowed.json
• https://github.com/aws-samples/aws-service-control-policies-deployment/blob/main/repos-for-code-commit/policies/scp/tools/restricted.json

Salesforce - Compliance Framework Based SCPs 2022

https://github.com/salesforce/aws-allowlister/tree/main

• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/All-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/Commercial-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/DOD_CC_SRG_IL2_EW-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/DOD_CC_SRG_IL2_GC-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/DOD_CC_SRG_IL4_GC-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/DOD_CC_SRG_IL5_GC-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/FedRAMP_All-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/FedRAMP_High-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/FedRAMP_Moderate-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/HIPAA-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/ISO-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/PCI-AllowList-SCP.json
• https://github.com/salesforce/aws-allowlister/blob/main/examples/latest/SOC-AllowList-SCP.json

FortuneCookieZen 2019

• https://github.com/fortunecookiezen/aws-ServiceControlPolicies/blob/master/AWSOrganizationsMasterRoleDenyDelete.json
• https://github.com/fortunecookiezen/aws-ServiceControlPolicies/blob/master/AllowHipaaServices.json
• https://github.com/fortunecookiezen/aws-ServiceControlPolicies/blob/master/DenyAlternateRegions.json
• https://github.com/fortunecookiezen/aws-ServiceControlPolicies/blob/master/DenyDomainRegistration.json
• https://github.com/fortunecookiezen/aws-ServiceControlPolicies/blob/master/DenyMarketplace.json
• https://github.com/fortunecookiezen/aws-ServiceControlPolicies/blob/master/DenyReservedInstancePurchases.json
• https://github.com/fortunecookiezen/aws-ServiceControlPolicies/blob/master/MemberAccountPolicy.json
• https://github.com/fortunecookiezen/aws-ServiceControlPolicies/blob/master/PreventVpcPeering.json

ScaleSec 2021

Last Updated 2021 Majority Salesforce Policies

Compliance SCP

DoDCcSrgll2Ew

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/DOD_CC_SRG_IL2_EW-AllowList-SCP.json

dodCcSrgIl2Gc

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/DOD_CC_SRG_IL2_GC-AllowList-SCP.json

dodCcSrgIl4Gc

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/DOD_CC_SRG_IL4_GC-AllowList-SCP.json"

dodCcSrgIl5Gc

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/DOD_CC_SRG_IL5_GC-AllowList-SCP.json

Fed Ramp High

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/FedRAMP_High-AllowList-SCP.json

Fed Ramp Mod

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/FedRAMP_Moderate-AllowList-SCP.json

HIPAA

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/HIPAA-AllowList-SCP.json

ISO

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/ISO-AllowList-SCP.json

PCI

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/PCI-AllowList-SCP.json

SOC

• https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/SOC-AllowList-SCP.json

Security Controls

• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/account/deny_region_interaction.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/ai/ai_services_opt_out.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/awsconfig/deny_interruption_actions.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/cloudtrail/deny_cloudtrail_actions.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/comprehend/templates/require_kms_cmks.json
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/comprehend/templates/require_private_vpcs.json
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/ec2/deny_public_ami.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/ec2/deny_public_ec2_ip.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/ec2/imdsv2_max_hop.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/ec2/require_ami_tag.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/ec2/require_imdsv2.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/ec2/require_mfa_actions.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/ec2/restrict_ami_owner.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/efs/deny_unencrypted_efs_actions.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/guardduty/deny_guardduty_disassociate.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/iam/deny_actions_no_mfa.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/lambda/require_vpc_lambda.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/organizations/deny_orgs_leave.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/rds/deny_unencrypted_actions.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/region/region_restriction.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/s3/deny_public_access_points.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/s3/deny_unencrypted_uploads.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/s3/deny_unsecure_requests.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/s3/require_mfa_delete.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/s3/s3_region_lockdown.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/sagemaker/deny_direct_internet_notebook.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/sagemaker/deny_root_access.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/sagemaker/require_inter_encryption.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/sagemaker/require_vpc_domain.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/shield/deny_shield_removal.tf
• https://github.com/ScaleSec/terraform_aws_scp/blob/main/security_controls_scp/modules/vpc/deny_flow_logs_delete.tf

CloudPosse 2022

EC2 Templates

• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/ec2-templates/DenyEC2AMINotCreatedBy.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/ec2-templates/DenyEC2AMIWithNoResourceTag.yaml

Region Restriction Templates

• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/region-restriction-templates/DenyRegions.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml

S3 Templates

• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml

Policies YAML

• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/account-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/cloudtrail-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/cloudwatch-logs-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/config-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/deny-all-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/ec2-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/guardduty-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/iam-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/kms-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/lambda-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/organization-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/rds-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/route53-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/s3-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/sagemaker-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/shield-policies.yaml
• https://github.com/cloudposse/terraform-aws-service-control-policies/blob/main/catalog/vpc-policies.yaml

RWickit

• https://github.com/rwickit/aws-service-control-policies/blob/main/aft/protect-sso-params.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/account/deny-root-user.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/account/protect-core-accounts.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/account/protect-resources.json

Organization

• https://github.com/rwickit/aws-service-control-policies/blob/main/organization/allow-all.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/organization/deny-all.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/organization/deny-leave-org.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/organization/deny-other-regions.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/organization/deny-outside-us.json

Service

• https://github.com/rwickit/aws-service-control-policies/blob/main/service/deny-billing-access.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/service/deny-bucket-access.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/service/deny-iam-user-create.json
• https://github.com/rwickit/aws-service-control-policies/blob/main/service/deny-support-create-case.json

CloudSecDocs.com

• https://cloudsecdocs.com/aws/services/iam/organizations/#sample-scps

defensive-works

• https://github.com/defensive-works/aws-service-control-policies-automation/tree/main/policies
  • https://github.com/defensive-works/aws-service-control-policies-automation/blob/main/policies/deny-ability-to-create-iam-access-keys-users.json
  • https://github.com/defensive-works/aws-service-control-policies-automation/blob/main/policies/deny-actions-outside-approved-regions.json

primeharbor

Very specific to the tools they sell, and their opinionated AWS OU structure (may not be optimized for SCPs)

• https://github.com/primeharbor/aws-service-control-policies/tree/main/Policies

Governance

Security

Grolston 2021

• https://github.com/grolston/aws-scp-templates/blob/master/AWSConfigProtect.json
• https://github.com/grolston/aws-scp-templates/blob/master/DenyBillingDetailAccess.json
• https://github.com/grolston/aws-scp-templates/blob/master/DenyLeaveOrganization.json
• https://github.com/grolston/aws-scp-templates/blob/master/PreventLeavingOrg.json
• https://github.com/grolston/aws-scp-templates/blob/master/ProtectAWSBackupVault.json
• https://github.com/grolston/aws-scp-templates/blob/master/S3BucketPolicyACLProtect.json
• https://github.com/grolston/aws-scp-templates/blob/master/S3DeleteProtect.json
• https://github.com/grolston/aws-scp-templates/blob/master/S3LifeCycleProtect.json
• https://github.com/grolston/aws-scp-templates/blob/master/deny-nonMfaIamUsers.json
• https://github.com/grolston/aws-scp-templates/blob/master/us-region/DenyAllOutsideUS.json
• https://github.com/grolston/aws-scp-templates/blob/master/us-region/deny-regions.json
• https://github.com/grolston/aws-scp-templates/blob/master/tagging/ec2.json Tagging
• https://github.com/grolston/aws-scp-templates/blob/master/deny-unencrypted-ebs/DenyUnencryptedEbsVolumes.json

Welldone Cloud - AWS SCPs for Sandbox and Training Accounts

• https://github.com/welldone-cloud/aws-scps-for-sandbox-and-training-accounts/blob/main/scp-deny-changing-account-baseline-configuration.json
• https://github.com/welldone-cloud/aws-scps-for-sandbox-and-training-accounts/blob/main/scp-deny-making-agreements-purchases-and-reservations.json
• https://github.com/welldone-cloud/aws-scps-for-sandbox-and-training-accounts/blob/main/scp-deny-modifying-central-iam-resources.json
• https://github.com/welldone-cloud/aws-scps-for-sandbox-and-training-accounts/blob/main/scp-deny-using-other-regions.json
• https://github.com/welldone-cloud/aws-scps-for-sandbox-and-training-accounts/blob/main/scp-deny-using-other-services.json

Tools

• Combines some SCPs to save space https://github.com/trussworks/terraform-aws-ou-scp
• https://github.com/phzietsman/terraform-aws-policy-packer - reduces IAM Policy size

Blogs

• https://github.com/infralicious/awesome-service-control-policies
• https://towardsthecloud.com/aws-scp-service-control-policies
• https://www.stormit.cloud/blog/aws-scp-service-control-policy
• https://medium.com/gft-engineering/more-about-aws-service-control-policies-scp-1588ff9bc814
• Jun 17 2022 - More about AWS Service Control Policies (SCP)
• Mar 25, 2020 - AWS SCP Best Practices
• https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-only-trusted-resources-from-my-organization/
• https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-only-trusted-resources-from-my-organization/
• AWS re:inforce 2022 talk by Tatyana and Rajeev https://youtu.be/SMi5OBjp1fI
• https://asecure.cloud/l/scp/
• https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/
• https://www.wiz.io/blog/using-service-control-policies-to-protect-security-baselines
• https://ramimac.me/terraform-minimized-scps
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
• https://docs.aws.amazon.com/organizations/latest/userguide/SCP_strategies.html
• https://docs.aws.amazon.com/general/latest/gr/rande-manage.html
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html
• https://aws.amazon.com/compliance/hipaa-eligible-services-reference/
• https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations-to-enforce-healthcare-compliance-in-your-aws-account/
• https://aws.amazon.com/compliance/hipaa-eligible-services-reference/