SCP: Prevent changes to an IAM Role

Aug 09, 2022

0

Share this article

{{ }} Substitute variables

Adjust the variable values according to your preference.

Policy Code

Referenced from: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-restricts-iam-principals

1{    
2  "Version": "2012-10-17",
3  "Statement": [
4    {
5      "Sid": "DenyAccessToASpecificRole",
6      "Effect": "Deny",
7      "Action": [
8        "iam:AttachRolePolicy",
9        "iam:DeleteRole",
10        "iam:DeleteRolePermissionsBoundary",
11        "iam:DeleteRolePolicy",
12        "iam:DetachRolePolicy",
13        "iam:PutRolePermissionsBoundary",
14        "iam:PutRolePolicy",
15        "iam:UpdateAssumeRolePolicy",
16        "iam:UpdateRole",
17        "iam:UpdateRoleDescription"
18      ],
19      "Resource": [
20        "arn:aws:iam::*:role/{{role-name}}"
21      ]
22    }
23  ]
24}
DOC

Replace {{role-name}} with the name of the IAM Role you wish to prevent any changes to.

    img

    Related Policies

    POLICY

    SCP: Prevent users from deleting Amazon VPC flow logs

    This policy prevents principals from deleting EC2 flow logs or CloudWatch log gr...

    Amazon Web ServicesAmazon EC2

    Aug 09, 2022

    0
    POLICY

    SCP: Require a tag on specified created resources

    This policy prevents principals from creating certain resource types if the requ...

    Amazon Web ServicesAmazon EC2
    +1

    Aug 09, 2022

    0
    POLICY

    SCP: Prevent users from disabling Amazon GuardDuty

    This policy prevents principals from disabling GuardDuty or altering its configu...

    Amazon Web Services

    Aug 09, 2022

    0
    img

    Join the beta waitlist

    Enter your email to get notified when our product becomes available to try.

    Sign Up for the community

    Create your member profile to get involved with our content, programs, and events.