AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-07-16 · Documentation medium

File: prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md

Summary

Removed SCP policy restricting VPC modification actions

Security assessment

Deleted network hardening example without evidence of addressing specific vulnerabilities

Diff

diff --git a/prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md b/prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md
index 00bc4ff0c..0271f43b2 100644
--- a//prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md
+++ b//prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md
@@ -13,36 +12,0 @@ After you have designed and deployed the AWS infrastructure that supports your c
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Action": [
-                    "ec2:AttachInternetGateway",
-                    "ec2:CreateInternetGateway",
-                    "ec2:AttachEgressOnlyInternetGateway",
-                    "ec2:CreateVpcPeeringConnection",
-                    "ec2:AcceptVpcPeeringConnection",
-                    "ec2:CreateVpc",
-                    "ec2:CreateSubnet", 
-                    "ec2:CreateRouteTable",
-                    "ec2:CreateRoute",
-                    "ec2:AssociateRouteTable", 
-                    "ec2:ModifyVpcAttribute",
-                    "ec2:*TransitGateway",
-                    "ec2:*TransitGateway*",
-                    "globalaccelerator:Create*",
-                    "globalaccelerator:Update*"
-                    
-                ],
-                "Resource": "*",
-                "Effect": "Deny",
-                "Condition": {
-                    "ArnNotLike": {
-                        "aws:PrincipalARN": [
-                            "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
-                            "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
-                        ]
-                    }
-                }          
-            }
-        ]
-    }
-