Restrict changes to VPC configurations - AWS Prescriptive Guidance

Restrict changes to VPC configurations

Survey

We would love to hear from you. Please provide feedback on the AWS PRA by taking a short survey.

After you have designed and deployed the AWS infrastructure that supports your cross-border data transfer requirements, which includes network data flows, you might want to prevent modifications. The following service control policy helps prevent VPC configuration drift or unintentional modification. It denies new internet gateway attachments, VPC peering connections, transit gateway attachments, and new VPN connections. For more information about how this policy can help protect privacy and personal data in your organization, see AWS Transit Gateway in this guide.

{
    "Version": "2012-10-17",		 	 	 		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:AttachInternetGateway",
                "ec2:CreateInternetGateway",
                "ec2:CreateVpcPeeringConnection",
                "ec2:AcceptVpcPeeringConnection",
                "ec2:CreateVpc",
                "ec2:CreateSubnet", 
                "ec2:CreateRouteTable",
                "ec2:CreateRoute",
                "ec2:AssociateRouteTable", 
                "ec2:ModifyVpcAttribute",
                "ec2:*TransitGateway",
                "ec2:*TransitGateway*",
                "globalaccelerator:Create*",
                "globalaccelerator:Update*"
                
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
                        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
                    ]
                }
            }          
        }
    ]
}