Example SCPs for Amazon Route 53 Application Recovery Controller
Prevent users from updating Route 53 ARC routing control states
A lower-level Route 53 ARC operator needs to monitor dashboards and view Route 53 ARC information. However, the operator must not be able to update routing controls to fail over the application from one Amazon Web Services Region to another, as a senior operator might be allowed to. This SCP prevents users or roles in any affected account from running Route 53 ARC operations that update Route 53 ARC routing controls.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAll", "Effect": "Deny", "Action": [ "route53-recovery-cluster:UpdateRoutingControlState", "route53-recovery-cluster:UpdateRoutingControlStates" ], "Resource": "*", "Condition": { "ArnNotLike": { "aws:PrincipalARN": [ "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP", "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP" ] } } } ] }