Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Example SCPs for Amazon Route 53 Application Recovery Controller

Prevent users from updating Route 53 ARC routing control states

A lower-level Route 53 ARC operator needs to monitor dashboards and view Route 53 ARC information. However, the operator must not be able to update routing controls to fail over the application from one Amazon Web Services Region to another, as a senior operator might be allowed to. This SCP prevents users or roles in any affected account from running Route 53 ARC operations that update Route 53 ARC routing controls.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAll",
            "Effect": "Deny",
            "Action": [
                "route53-recovery-cluster:UpdateRoutingControlState",
                "route53-recovery-cluster:UpdateRoutingControlStates"
            ],
            "Resource": "*",
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
                        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
                    ]
                }
            }
        }
    ]
}