Amazon Virtual Private Cloud(Amazon VPC)的示例 SCP - Amazon Organizations
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

Amazon Virtual Private Cloud(Amazon VPC)的示例 SCP

阻止用户删除 Amazon VPC 流日志

此 SCP 阻止任何受影响账户中的用户或角色删除 Amazon Elastic Compute Cloud(Amazon EC2)流日志或者 CloudWatch 日志组或日志流。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" } ] }

阻止还没有 Internet 访问权的任何 VPC 获取它

此 SCP 阻止任何受影响账户中的用户或角色更改 Amazon EC2 Virtual Private Cloud(VPC)的配置以允许他们直接访问 Internet。它不会阻止现有直接访问或通过您的本地网络环境路由的任何访问。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "globalaccelerator:Create*", "globalaccelerator:Update*" ], "Resource": "*" } ] }