Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Example service control policies for Amazon Organizations and Amazon RAM

Amazon RAM supports service control policies (SCPs). SCPs are policies that you attach to elements in an organization to manage permissions within that organization. An SCP applies to all Amazon Web Services accounts under the element to which you attach the SCP. SCPs offer central control over the maximum available permissions for all accounts in your organization. They can help you to ensure your Amazon Web Services accounts stay within your organization’s access control guidelines. For more information, see Service control policies in the Amazon Organizations User Guide.

Prerequisites

To use SCPs, you must first do the following:

Example Service Control Policies

The following examples show how you can control various aspects of resource sharing in an organization.

Example 1: Prevent external sharing

The following SCP prevents users from creating resource shares that allow sharing with principals that are outside of the sharing user's organization.

Amazon RAM authorizes APIs separately for each principal and resource listed in the call.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ram:CreateResourceShare",
                "ram:UpdateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ram:RequestedAllowsExternalPrincipals": "true"
                }
            }
        }
    ]
}

Example 2: Prevent users from accepting resource share invitations from external accounts outside your organization

The following SCP blocks any principal in an affected account from accepting an invitation to use a resource share. Resource shares that are shared to other accounts in the same organization as the sharing account don't generate invitations and are therefore not affected by this SCP.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ram:AcceptResourceShareInvitation",
            "Resource": "*"
        }
    ]
}

Example 3: Allow specific accounts to share specific resource types

The following SCP allows only accounts 111111111111 and 222222222222 to create new resource shares that share Amazon EC2 prefix lists or to associate prefix lists with existing resource shares.

Amazon RAM authorizes APIs separately for each principal and resource listed in the call.

The operator StringEqualsIfExists allows a request if either the request doesn't include a resource type parameter, or if it does include that parameter, that its value exactly matches the specified resource type. If you're including a principal you must have ...IfExists.

For more information about when and why to use ...IfExists operators, see ...IfExists condition operators in the IAM User Guide.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ram:AssociateResourceShare",
                "ram:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalAccount": [
                        "111111111111",
                        "222222222222"
                    ]
                },
                "StringEqualsIfExists": {
                    "ram:RequestedResourceType": "ec2:PrefixList"
                }
            }
        }
    ]
}

Example 4: Prevent sharing with the entire organization or with organizational units

The following SCP prevents users from creating resource shares that share resources with an entire organization or with any organizational units. Users can share with individual Amazon Web Services accounts in the organization, or with IAM roles or users.

Amazon RAM authorizes APIs separately for each principal and resource listed in the call.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ram:CreateResourceShare",
                "ram:AssociateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ram:Principal": [
                        "arn:aws:organizations::*:organization/*",
                        "arn:aws:organizations::*:ou/*"
                    ]
                }
            }
        }
    ]
}

Example 5: Allow sharing with only specific principals

The following example SCP allows users to share resources with only organization o-12345abcdef, organizational unit ou-98765fedcba, and Amazon Web Services account 111111111111.

If you're using an "Effect": "Deny" element with a negated condition operator, like StringNotEqualsIfExists, the request is still denied even if the condition key is not present. Use a Null condition operator to check if a condition key is absent at the time of authorization.

Amazon RAM authorizes APIs separately for each principal and resource listed in the call.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ram:AssociateResourceShare",
        "ram:CreateResourceShare"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "ram:Principal": [
            "arn:aws:organizations::123456789012:organization/o-12345abcdef",
            "arn:aws:organizations::123456789012:ou/o-12345abcdef/ou-98765fedcba",
            "111111111111"
          ]
        },
        "Null": {
          "ram:Principal": "false"
        }
      }
    }
  ]
}