A collection of AWS Service Control Policies (SCP) with the intent of enforcing general best practices.

Preference towards white listing specific actions, services, or conditions is in place to ensure forward compatability as new actions, regions, or other services are created in the future.

ScpDenyService - Deny any service not explicitly listed in NotAction.

ScpDenyRegion - Deny API calls to any region not explicitly listed in "aws:RequestedRegion" values. US-East-1 is the Global API endpoint, meaning it should always be allowed.

ScpDenyRoleChanges - Deny any changes to IAM roles unless you are a member of the Organization's master role with an MFA token issued in the past hour. Where "Role-OrgAdministrator" is the cross account role used for break-glass scenarios from the Organization Master account. The role name should remain consistent between member accounts for the wildcard in the ARN to work.

ScpDenyEC2 - Deny a number of EC2 specific actions that should be strictly controlled. Requires PrincipalARN as the Organization's master role, and an MFA token from the past hour.