Amazon Virtual Private Cloud(Amazon VPC)的示例 SCP
阻止用户删除 Amazon VPC 流日志
此 SCP 阻止任何受影响账户中的用户或角色删除 Amazon Elastic Compute Cloud(Amazon EC2)流日志或者 CloudWatch 日志组或日志流。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" } ] }
阻止还没有 Internet 访问权的任何 VPC 获取它
此 SCP 阻止任何受影响账户中的用户或角色更改 Amazon EC2 Virtual Private Cloud(VPC)的配置以允许他们直接访问 Internet。它不会阻止现有直接访问或通过您的本地网络环境路由的任何访问。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "globalaccelerator:Create*", "globalaccelerator:Update*" ], "Resource": "*" } ] }