AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-07-25 · Documentation medium

File: prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md

Summary

Added SCP example restricting VPC modification actions

Security assessment

New service control policy example helps prevent unauthorized network configuration changes

Diff

diff --git a/prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md b/prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md
index 0271f43b2..00bc4ff0c 100644
--- a//prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md
+++ b//prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md
@@ -12,0 +13,36 @@ After you have designed and deployed the AWS infrastructure that supports your c
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": [
+                    "ec2:AttachInternetGateway",
+                    "ec2:CreateInternetGateway",
+                    "ec2:AttachEgressOnlyInternetGateway",
+                    "ec2:CreateVpcPeeringConnection",
+                    "ec2:AcceptVpcPeeringConnection",
+                    "ec2:CreateVpc",
+                    "ec2:CreateSubnet", 
+                    "ec2:CreateRouteTable",
+                    "ec2:CreateRoute",
+                    "ec2:AssociateRouteTable", 
+                    "ec2:ModifyVpcAttribute",
+                    "ec2:*TransitGateway",
+                    "ec2:*TransitGateway*",
+                    "globalaccelerator:Create*",
+                    "globalaccelerator:Update*"
+                    
+                ],
+                "Resource": "*",
+                "Effect": "Deny",
+                "Condition": {
+                    "ArnNotLike": {
+                        "aws:PrincipalARN": [
+                            "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
+                            "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
+                        ]
+                    }
+                }          
+            }
+        ]
+    }
+