Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Example SCPs for Amazon Application Recovery Controller (ARC)

Prevent users from updating ARC routing control states

A lower-level ARC operator needs to monitor dashboards and view ARC information. However, the operator must not be able to update routing controls to fail over the application from one Amazon Web Services Region to another, as a senior operator might be allowed to. This SCP prevents users or roles in any affected account from running ARC operations that update ARC routing controls.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAll",
            "Effect": "Deny",
            "Action": [
                "route53-recovery-cluster:UpdateRoutingControlState",
                "route53-recovery-cluster:UpdateRoutingControlStates"
            ],
            "Resource": "*",
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
                        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
                    ]
                }
            }
        }
    ]
}