{ "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictEC2ForRoot", "Effect": "Deny", "Action": [ "ec2:*" ], "Resource": [ "*" ], "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:root" ] } } } ] }
Amazon GuardDuty の SCP の例 - AWS Organizations
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "guardduty:AcceptInvitation", "guardduty:ArchiveFindings", "guardduty:CreateDetector", "guardduty:CreateFilter", "guardduty:CreateIPSet", "guardduty:CreateMembers", "guardduty:CreatePublishingDestination", "guardduty:CreateSampleFindings", "guardduty:CreateThreatIntelSet", "guardduty:DeclineInvitations", "guardduty:DeleteDetector", "guardduty:DeleteFilter", "guardduty:DeleteInvitations", "guardduty:DeleteIPSet", "guardduty:DeleteMembers", "guardduty:DeletePublishingDestination", "guardduty:DeleteThreatIntelSet", "guardduty:DisassociateFromMasterAccount", "guardduty:DisassociateMembers", "guardduty:InviteMembers", "guardduty:StartMonitoringMembers", "guardduty:StopMonitoringMembers", "guardduty:TagResource", "guardduty:UnarchiveFindings", "guardduty:UntagResource", "guardduty:UpdateDetector", "guardduty:UpdateFilter", "guardduty:UpdateFindingsFeedback", "guardduty:UpdateIPSet", "guardduty:UpdatePublishingDestination", "guardduty:UpdateThreatIntelSet" ], "Resource": "*" } ] }
Amazon Virtual Private Cloud (Amazon VPC) の SCP の例 - AWS Organizations
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" } ] }
AWS Config の SCP の例 - AWS Organizations
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "config:DeleteConfigRule", "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:StopConfigurationRecorder" ], "Resource": "*" } ] }
AWS Organizations の SCP を使って特定のIPアドレスのみで AWS が利用できるようにしてみよう #AWS - Qiita
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": "*", "Resource": [ "*" ], "Condition": { "StringLike": { "aws:username": [ "*" ] }, "NotIpAddress": { "aws:SourceIp": [ "x.x.x.x/24", "x.x.x.x/24" ] }, "Bool": { "aws:ViaAWSService": "false" } } } ] }
参考:AWS Organizations の SCP を使ってリージョン制限をかけてみよう #AWS - Qiita
利用できるリージョンを東京リージョン(ap-northeast-1)とグローバルサービスのためにバージニア北部リージョン(us-east-1)のみに制限する
{ "Version": "2012-10-17", "Statement": [ { "Sid": "denyRegion", "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "ap-northeast-1", "us-east-1" ] } } } ] }
参考:AWS OrganizationsのSCP設計で参考になりそうなサンプルポリシーを作成してみる - サーバーワークスエンジニアブログ
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyIAMOperations", "Effect": "Deny", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccountPasswordPolicy" ], "Resource": [ "*" ] } ] }
参考:AWS OrganizationsのSCP設計で参考になりそうなサンプルポリシーを作成してみる - サーバーワークスエンジニアブログ
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ForceRDSStorageEncryption", "Effect": "Deny", "Action": [ "rds:CreateDBInstance", "rds:CreateDBCluster" ], "Resource": [ "*" ], "Condition": { "Bool": { "rds:StorageEncrypted": "false" } } }, { "Sid": "ForceEBSStorageEncryption", "Effect": "Deny", "Action": [ "ec2:RunInstances", "ec2:CreateVolume" ], "Resource": [ "*" ], "Condition": { "Bool": { "ec2:Encrypted": "false" } } }, { "Sid": "ForceEFSStorageEncryption", "Effect": "Deny", "Action": [ "elasticfilesystem:CreateFileSystem" ], "Resource": [ "*" ], "Condition": { "Bool": { "elasticfilesystem:Encrypted": "false" } } } ] }
一般向けサイト
ITエンジニア向けサイト
英語サイト
Portfolio
Copyright (c) 2025 クラウドのインフラ技術 All Rights Reserved.