Adjust the variable values according to your preference.
Policy Code
Referenced from: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-restricts-iam-principals
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Sid": "DenyAccessToASpecificRole",
6 "Effect": "Deny",
7 "Action": [
8 "iam:AttachRolePolicy",
9 "iam:DeleteRole",
10 "iam:DeleteRolePermissionsBoundary",
11 "iam:DeleteRolePolicy",
12 "iam:DetachRolePolicy",
13 "iam:PutRolePermissionsBoundary",
14 "iam:PutRolePolicy",
15 "iam:UpdateAssumeRolePolicy",
16 "iam:UpdateRole",
17 "iam:UpdateRoleDescription"
18 ],
19 "Resource": [
20 "arn:aws:iam::*:role/{{role-name}}"
21 ]
22 }
23 ]
24}
Replace {{role-name}} with the name of the IAM Role you wish to prevent any changes to.