Example Service Control Policies for AWS Trusted Advisor
AWS Trusted Advisor supports service control policies (SCPs). SCPs are policies that you attach to elements in an organization to manage permissions within that organization. An SCP applies to all AWS accounts under the element to which you attach the SCP. SCPs offer central control over the maximum available permissions for all accounts in your organization. They can help you to ensure your AWS accounts stay within your organization’s access control guidelines. For more information, see Service control policies in the AWS Organizations User Guide.
Prerequisites
To use SCPs, you must first do the following:
-
Enable all features in your organization. For more information, see Enabling all features in your organization in the AWS Organizations User Guide.
-
Enable SCPs for use within your organization. For more information, see Enabling and disabling policy types in the AWS Organizations User Guide.
-
Create the SCPs that you need. For more information about creating SCPs, see Creating, updating, and deleting service control policies in the AWS Organizations User Guide.
Example Service Control Policies
The following examples show how you can control various aspects of resource sharing in an organization.
Example : Prevent users from creating or editing engagements in Trusted Advisor Engage
The following SCP prevents users from creating new engagements or editing existing engagements.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "trustedadvisor:CreateEngagement", "trustedadvisor:UpdateEngagement*" ], "Resource": [ "*" ] } ] }
Example : Deny Trusted Advisor Engage and Trusted Advisor Priority Access
The following SCP prevents users from accessing or performing any actions within Trusted Advisor Engage and Trusted Advisor Priority.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "trustedadvisor:ListEngagement*", "trustedadvisor:GetEngagement*", "trustedadvisor:CreateEngagement*", "trustedadvisor:UpdateEngagement*", "trustedadvisor:DescribeRisk*", "trustedadvisor:UpdateRisk*", "trustedadvisor:DownloadRisk" ], "Resource": [ "*" ] } ] }