Collection of example Service Control Policies (SCPs) that are useful for sandbox and training AWS accounts. The SCPs deny API calls that
- change baseline account settings (contacts, billing, tax settings, etc.),
- have long-term financial effects (purchases and reservations) or
- operate outside allow-listed AWS regions or services.
-
The provided SCPs can only be a starting point and you will need to adapt them for your specific use case.
-
Consider using aws-nuke to bring AWS accounts back into a clean and known-good state.
-
Have a look at the following resources for additional SCPs you might want to implement: