Example service control policies for Amazon Organizations and Resource Explorer - Amazon Resource Explorer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Example service control policies for Amazon Organizations and Resource Explorer

Amazon Resource Explorer supports service control policies (SCPs). SCPs are policies that you attach to elements in an organization to manage permissions within that organization. An SCP applies to all Amazon Web Services accounts in an organization under the element to which you attach the SCP. SCPs offer central control over the maximum available permissions for all accounts in your organization. They can help you to ensure your Amazon Web Services accounts stay within your organization’s access control guidelines. For more information, see Service control policies in the Amazon Organizations User Guide.

Prerequisites

To use SCPs, you must first do the following:

Example service control policies

The following example shows how you can use attribute-based access control (ABAC) to control access to the administrative operations of Resource Explorer. This example policy denies access to all Resource Explorer operations except the two permissions required to search, resource-explorer-2:Search and resource-explorer-2:GetView, unless the IAM principal making the request is tagged ResouceExplorerAdmin=TRUE. For a more complete discussion of using ABAC with Resource Explorer, see Using tag-based authorization to control access to your views.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "resource-explorer-2:AssociateDefaultView", "resource-explorer-2:BatchGetView", "resource-explorer-2:CreateIndex", "resource-explorer-2:CreateView", "resource-explorer-2:DeleteIndex", "resource-explorer-2:DeleteResourcePolicy", "resource-explorer-2:DeleteView", "resource-explorer-2:DisassociateDefaultView", "resource-explorer-2:GetDefaultView", "resource-explorer-2:GetIndex", "resource-explorer-2:GetResourcePolicy", "resource-explorer-2:ListIndexes", "resource-explorer-2:ListSupportedResourceTypes", "resource-explorer-2:ListTagsForResource", "resource-explorer-2:ListViews", "resource-explorer-2:PutResourcePolicy", "resource-explorer-2:TagResource", "resource-explorer-2:UntagResource", "resource-explorer-2:UpdateIndexType", "resource-explorer-2:UpdateView"" ], "Resource": [ "*" ], "Condition": { "StringNotEqualsIgnoreCase": {"aws:PrincipalTag/ResourceExplorerAdmin": "TRUE"} } ] }