🚀Launch Week 12: March 23rd - 27th, 2026🚀
← Changelog

aws-prevention v5.1.0 - Improved SCP and RCP objective matching accuracy

Mar 20, 2026GuardrailsMods

What's new?

  • SCP and RCP objective matching has been redesigned for improved accuracy and consistency. Six multi-statement objectives have been split into single-statement sub-objectives for precise matching. RCP deny examples have been added for 18 objectives and unenforceable SCP examples have been removed. Prevention rules now include an overview field.

Prevention Fact Types

  • AWS Condition Scope
  • AWS Deny Scope

Prevention Objectives

  • Enforce IMDSv2 for AWS EC2 instance launch
  • Enforce IMDSv2 for running AWS EC2 instances
  • Prohibit AWS Elastic IP association
  • Prohibit AWS VPC peering connections
  • Prohibit AWS cross-region networking services
  • Prohibit public IP assignment at AWS EC2 instance launch
  • Safeguard AWS EC2 AMI block public access setting from modification
  • Safeguard AWS Lambda code signing configuration from modification

Removed

  • Enforce IMDSv2 for AWS EC2 instances
  • Prohibit AWS EC2 cross-region networking
  • Prohibit AWS EC2 instance internet access

Prevention Examples

  • Allow approved AWS services
  • Allow resources in approved AWS regions
  • Block all public sharing of AWS EBS snapshots
  • Block inbound and outbound internet connections to your VPCs through an internet gateway (IGW) or egress-only internet gateway (EIGW)
  • Block public sharing of AWS Machine Images (AMIs)
  • Deny API actions over insecure transport for AWS S3
  • Deny AWS Virtual Private Network (VPN) connections
  • Deny EC2 instance launch without IAM instance role
  • Deny IAM user management actions without MFA
  • Deny access key creation for AWS IAM users
  • Deny access key operations for AWS IAM root user
  • Deny actions as a root user
  • Deny all AWS IAM root user actions
  • Deny creation of AWS IAM users
  • Deny creation of access keys for the root user
  • Deny cross region replication for S3 buckets
  • Deny deletion of AWS IAM support access role
  • Deny deletion of AWS VPC flow logs
  • Deny direct permissions attachment to AWS IAM users
  • Deny disablement and deletion of AWS KMS keys
  • Deny disablement of AWS Security Hub configuration
  • Deny disablement of amazon inspector configuration
  • Deny full access policy attachment for AWS CloudShell
  • Deny insecure transport at resource level for AWS S3
  • Deny modification of AWS CloudTrail configuration
  • Deny modification of AWS CloudWatch alarms
  • Deny modification of AWS Config configuration
  • Deny modification of AWS DynamoDB table point in time recovery configuration
  • Deny modification of AWS EBS encryption by default configuration
  • Deny modification of AWS EBS snapshot block public access configuration
  • Deny modification of AWS EC2 IMDS default settings
  • Deny modification of AWS EC2 image block public access configuration
  • Deny modification of AWS EC2 serial console access configuration
  • Deny modification of AWS IAM Access Analyzer configuration
  • Deny modification of AWS IAM role configuration
  • Deny modification of AWS IAM role trust policy configuration
  • Deny modification of AWS S3 account public access block configuration
  • Deny modification of AWS S3 bucket encryption configuration
  • Deny modification of AWS S3 bucket lifecycle policy configuration
  • Deny modification of AWS S3 bucket logging configuration
  • Deny modification of AWS S3 bucket logging configuration
  • Deny modification of AWS VPC network ACL rules
  • Deny modification of AWS VPC route tables
  • Deny modification of AWS VPC security group rules
  • Deny modification of AWS VPC security group rules
  • Deny modification of AWS account alternate security contact
  • Deny modification of AWS account contact information
  • Deny policy changes to an AWS S3 bucket
  • Deny public function URLs for AWS Lambda
  • Deny public resource policies for AWS Lambda functions
  • Deny publicly accessible creation for AWS RDS DB instances
  • Deny removal of AWS IAM permission boundaries
  • Deny removal of AWS IAM root user MFA devices
  • Deny removal of AWS IAM user MFA devices
  • Deny replication configuration for AWS S3 buckets
  • Deny resource creation without security classification tags
  • Deny resources in unapproved AWS regions
  • Deny resources in unapproved regions
  • Deny resources in unapproved regions in landing zone
  • Deny sharing of public AWS EBS snapshots
  • Deny single-AZ creation for AWS RDS DB instances
  • Deny the use of AWS EC2 VM import and export
  • Deny the use of deprecated AWS EC2 RequestSpotFleet and RequestSpotInstances API actions
  • Deny unapproved AWS EC2 instance types
  • Deny unapproved AWS services
  • Deny unencrypted creation for AWS EBS volumes
  • Deny unencrypted creation for AWS EFS file systems
  • Deny unencrypted creation for AWS RDS DB instances
  • Deny unencrypted listeners for AWS Elastic Load Balancing
  • Deny versioning changes for AWS S3 buckets
  • Deny virtual MFA operations for AWS IAM root user
  • Deny weakening of AWS IAM account password policy
  • Deny weakening of AWS IAM account password policy
  • Deny weakening of AWS IAM account password policy
  • Deny wildcard administrative policy attachment for AWS IAM
  • Disable AWS EC2 Serial Console access
  • Disable access to the EC2 serial console for all EC2 instances
  • Enable AWS EBS Snapshot Block Public Access for account
  • Enable AWS EBS encryption by default for account
  • Enable AWS EC2 Image Block Public Access
  • Enable account-level Block Public Access for AWS S3
  • Enable account-level Block Public Access for AWS S3
  • Enable account-level Block Public Access for AWS S3
  • Enable account-level Block Public Access for AWS S3
  • Enforce AWS GuardDuty enablement
  • Enforce Access Logging for AWS S3 Buckets
  • Enforce Block Public Access for AWS S3 accounts
  • Enforce Block Public Access for AWS S3 accounts
  • Enforce Block Public Access for AWS S3 accounts
  • Enforce Block Public Access for AWS S3 accounts
  • Enforce Block Public Access for AWS S3 buckets
  • Enforce Block Public Access for AWS S3 buckets
  • Enforce Block Public Access for AWS S3 buckets
  • Enforce Block Public Access for AWS S3 buckets
  • Enforce HTTPS-only access for AWS S3 buckets
  • Enforce IAM instance roles for AWS EC2 instances
  • Enforce IMDSv2 defaults for AWS EC2 account attributes
  • Enforce IMDSv2 for AWS EC2 instances
  • Enforce IMDSv2 for running AWS EC2 instances
  • Enforce MFA Delete for AWS S3 buckets
  • Enforce Multi-AZ deployments for AWS RDS DB instances
  • Enforce approved AMI sources for AWS EC2 instances
  • Enforce approved accounts for AWS Lambda functions
  • Enforce approved images for AWS EC2 AMIs
  • Enforce approved instance types for AWS EC2 instances
  • Enforce auto minor version upgrade for AWS RDS DB instances
  • Enforce block public ACLs for AWS S3 buckets
  • Enforce block public policy for AWS S3 buckets
  • Enforce deactivation of unused AWS IAM access keys
  • Enforce default security groups with no rules to restrict all traffic for AWS VPC security groups
  • Enforce encryption at rest for AWS CloudTrail logs
  • Enforce encryption at rest for AWS RDS DB instances
  • Enforce encryption by default for AWS EC2 accounts
  • Enforce encryption for AWS EFS file systems
  • Enforce group-based permissions for AWS IAM users
  • Enforce ignore public ACLs for AWS S3 buckets
  • Enforce lifecycle policies for AWS S3 buckets
  • Enforce lifecycle policies for versioned AWS S3 buckets
  • Enforce minimum password length for AWS IAM password policy
  • Enforce non-public accessibility for AWS RDS DB instances
  • Enforce password reuse prevention for AWS IAM password policy
  • Enforce removal of AWS IAM AWSCloudShellFullAccess policy
  • Enforce removal of AWS IAM users
  • Enforce removal of AdministratorAccess policy for AWS IAM
  • Enforce removal of expired AWS IAM server certificates
  • Enforce removal of login profiles for AWS IAM users
  • Enforce restrict public buckets for AWS S3 buckets
  • Enforce rotation of AWS IAM access keys every 90 days
  • Enforce secure Network ACL configurations denying public access to admin ports for AWS VPC Network ACLs
  • Enforce secure security group configurations denying public access to admin ports for AWS VPC security groups
  • Enforce single active access key per AWS IAM user
  • Enforce versioning for AWS S3 buckets
  • Enforce versioning for AWS S3 buckets
  • Prevent IAM policies with wildcard actions via Guard
  • Prevent IAM policies with wildcard actions via Lambda
  • Prevent IAM policies with wildcard actions via proactive control
  • Prevent S3 buckets without versioning via Guard
  • Prevent S3 buckets without versioning via Lambda
  • Prevent S3 buckets without versioning via proactive control
  • Prevent creation of AWS EC2 instances with IMDSv1 via Guard
  • Prevent creation of AWS EC2 instances with IMDSv1 via Lambda
  • Prevent public S3 bucket creation via Guard
  • Prevent public S3 bucket creation via Guard
  • Prevent public S3 bucket creation via Guard
  • Prevent public S3 bucket creation via Guard
  • Prohibit AWS EBS direct API calls
  • Prohibit AWS EBS snapshot public restore
  • Prohibit AWS EBS snapshot public sharing
  • Prohibit AWS EC2 VM import and export
  • Prohibit AWS EC2 deprecated Spot instance APIs
  • Prohibit AWS Elastic IP association
  • Prohibit AWS VPC VPN connections
  • Prohibit AWS VPC internet connections
  • Prohibit AWS VPC peering connections
  • Prohibit AWS cross-region networking services
  • Prohibit IAM Customer Managed Policies with Wildcard Service Actions
  • Prohibit IAM Inline Policies with Administrative Wildcard Permissions
  • Prohibit IAM Managed Policies with Administrative Wildcard Permissions
  • Prohibit Public AWS ECR Repositories
  • Prohibit public IP assignment at AWS EC2 instance launch
  • Prohibit public internet access to AWS VPC resources
  • Require AWS CloudHSM key origin for AWS KMS keys
  • Require AWS CloudHSM key origin for AWS KMS keys
  • Require AWS IAM privileged role permission boundaries
  • Require AWS KMS grants only for AWS services
  • Require AWS KMS grants only for AWS services
  • Require Block Public Access for S3 Buckets
  • Require Block Public Access for S3 Buckets
  • Require Block Public Access for S3 Buckets
  • Require Block Public Access for S3 Buckets
  • Require Encryption for EBS Volumes
  • Require Encryption for Launch Template EBS Volumes
  • Require IMDSv2 for AWS EC2 instance launch
  • Require KMS encryption for AWS S3 buckets
  • Require MFA for AWS IAM root user actions
  • Require MFA for AWS S3 bucket versioning configuration changes
  • Require MFA for AWS SSM Session Manager
  • Require MFA for delete actions on S3 buckets
  • Require RSA key length greater than 2048 bits for AWS KMS asymmetric keys
  • Require RSA key length greater than 2048 bits for AWS KMS asymmetric keys
  • Require Server Side Encryption for S3 Buckets
  • Require VPC endpoints for AWS DynamoDB access
  • Require all object uploads to AWS S3 buckets to use server-side encryption with an AWS KMS key (SSE-KMS)
  • Require an AWS EBS snapshot to be created from an encrypted EC2 volume
  • Require approved AWS Marketplace subscriptions
  • Require approved sources for AWS ECR container registry
  • Require approved sources for AWS Lambda layers
  • Require attribute-based access control for AWS IAM sensitive data access
  • Require bypass policy lockout safety check for AWS KMS keys
  • Require bypass policy lockout safety check for AWS KMS keys
  • Require code signing for AWS Lambda functions
  • Require encryption at rest for AWS EBS snapshots
  • Require external key store key origin for AWS KMS keys
  • Require external key store key origin for AWS KMS keys
  • Require imported key material for AWS KMS keys
  • Require imported key material for AWS KMS keys
  • Require organization-only access for AWS KMS resources
  • Require organization-only access for AWS KMS resources
  • Require that AWS EBS direct APIs are not called
  • Require that an AWS EBS snapshot cannot be publicly restorable
  • Require that an attached AWS EBS volume is configured to encrypt data at rest
  • Safeguard AWS EC2 AMI block public access setting from modification
  • Safeguard AWS Lambda code signing configuration from modification
  • Safeguard AWS S3 bucket encryption configuration from modification
  • Safeguard AWS S3 bucket policies from modification
  • Set IMDSv2 defaults for AWS EC2 instances
  • Set comprehensive password policy for AWS IAM
  • Set minimum password length for AWS IAM password policy
  • Set password reuse prevention for AWS IAM password policy

Removed

  • Allow approved AWS services
  • Allow resources in approved AWS regions
  • Block all public sharing of AWS EBS snapshots
  • Block inbound and outbound internet connections to your VPCs through an internet gateway (IGW) or egress-only internet gateway (EIGW)
  • Block public sharing of AWS Machine Images (AMIs)
  • Deny API actions over insecure transport for AWS S3
  • Deny AWS Virtual Private Network (VPN) connections
  • Deny EC2 instance launch without IAM instance role
  • Deny access key creation for AWS IAM users
  • Deny access key operations for AWS IAM root user
  • Deny actions as a root user
  • Deny all AWS IAM root user actions
  • Deny creation of AWS IAM users
  • Deny creation of access keys for the root user
  • Deny credential updates for AWS IAM users
  • Deny cross region replication for S3 buckets
  • Deny cross-region networking for AWS EC2, AWS CloudFront, and AWS Global Accelerator
  • Deny deletion of AWS IAM support access role
  • Deny deletion of AWS VPC flow logs
  • Deny direct permissions attachment to AWS IAM users
  • Deny disablement and deletion of AWS KMS keys
  • Deny disablement of AWS GuardDuty configuration
  • Deny disablement of AWS Security Hub configuration
  • Deny disablement of amazon inspector configuration
  • Deny full access policy attachment for AWS CloudShell
  • Deny insecure transport at resource level for AWS S3
  • Deny internet access for an AWS VPC instance managed by a customer
  • Deny modification of AWS CloudTrail configuration
  • Deny modification of AWS CloudWatch alarms
  • Deny modification of AWS Config configuration
  • Deny modification of AWS DynamoDB table point in time recovery configuration
  • Deny modification of AWS EBS encryption by default configuration
  • Deny modification of AWS EBS snapshot block public access configuration
  • Deny modification of AWS EC2 IMDS default settings
  • Deny modification of AWS EC2 image block public access configuration
  • Deny modification of AWS EC2 instance IMDSv2 configuration
  • Deny modification of AWS EC2 serial console access configuration
  • Deny modification of AWS IAM Access Analyzer configuration
  • Deny modification of AWS IAM role configuration
  • Deny modification of AWS IAM role trust policy configuration
  • Deny modification of AWS S3 account public access block configuration
  • Deny modification of AWS S3 account public access block configuration
  • Deny modification of AWS S3 bucket encryption configuration
  • Deny modification of AWS S3 bucket lifecycle policy configuration
  • Deny modification of AWS S3 bucket logging configuration
  • Deny modification of AWS S3 bucket logging configuration
  • Deny modification of AWS S3 bucket object lock configuration
  • Deny modification of AWS VPC network ACL rules
  • Deny modification of AWS VPC route tables
  • Deny modification of AWS VPC security group rules
  • Deny modification of AWS account alternate security contact
  • Deny modification of AWS account contact information
  • Deny password operations for AWS IAM users
  • Deny policy changes to an AWS S3 bucket
  • Deny public function URLs for AWS Lambda
  • Deny public repository creation for AWS ECR
  • Deny public resource policies for AWS Lambda functions
  • Deny publicly accessible creation for AWS RDS DB instances
  • Deny removal of AWS IAM permission boundaries
  • Deny removal of AWS IAM root user MFA devices
  • Deny removal of AWS IAM user MFA devices
  • Deny replication configuration for AWS S3 buckets
  • Deny resource creation without security classification tags
  • Deny resources in unapproved AWS regions
  • Deny resources in unapproved regions
  • Deny resources in unapproved regions in landing zone
  • Deny sharing of public AWS EBS snapshots
  • Deny single-AZ creation for AWS RDS DB instances
  • Deny the use of AWS EC2 VM import and export
  • Deny the use of deprecated AWS EC2 RequestSpotFleet and RequestSpotInstances API actions
  • Deny unapproved AWS EC2 instance types
  • Deny unapproved AWS services
  • Deny unencrypted creation for AWS EBS volumes
  • Deny unencrypted creation for AWS EFS file systems
  • Deny unencrypted creation for AWS RDS DB instances
  • Deny unencrypted listeners for AWS Elastic Load Balancing
  • Deny versioning changes for AWS S3 buckets
  • Deny virtual MFA operations for AWS IAM root user
  • Deny weakening of AWS IAM account password policy
  • Deny wildcard administrative policy attachment for AWS IAM
  • Disable AWS EC2 Serial Console access
  • Disable access to the EC2 serial console for all EC2 instances
  • Enable AWS EBS Snapshot Block Public Access for account
  • Enable AWS EBS encryption by default for account
  • Enable AWS EC2 Image Block Public Access
  • Enable account-level Block Public Access for AWS S3
  • Enforce Access Logging for AWS S3 Buckets
  • Enforce Block Public Access for AWS S3 accounts
  • Enforce Block Public Access for AWS S3 buckets
  • Enforce HTTPS-only access for AWS S3 buckets
  • Enforce IAM instance roles for AWS EC2 instances
  • Enforce IMDSv2 defaults for AWS EC2 account attributes
  • Enforce IMDSv2 for AWS EC2 instances
  • Enforce Multi-AZ deployments for AWS RDS DB instances
  • Enforce approved AMI sources for AWS EC2 instances
  • Enforce approved accounts for AWS Lambda functions
  • Enforce approved images for AWS EC2 AMIs
  • Enforce approved instance types for AWS EC2 instances
  • Enforce auto minor version upgrade for AWS RDS DB instances
  • Enforce deactivation of unused AWS IAM access keys
  • Enforce default security groups with no rules to restrict all traffic for AWS VPC security groups
  • Enforce encryption at rest for AWS CloudTrail logs
  • Enforce encryption at rest for AWS RDS DB instances
  • Enforce encryption by default for AWS EC2 accounts
  • Enforce encryption for AWS EFS file systems
  • Enforce group-based permissions for AWS IAM users
  • Enforce lifecycle policies for AWS S3 buckets
  • Enforce lifecycle policies for versioned AWS S3 buckets
  • Enforce minimum password length for AWS IAM password policy
  • Enforce non-public accessibility for AWS RDS DB instances
  • Enforce password reuse prevention for AWS IAM password policy
  • Enforce removal of AWS IAM AWSCloudShellFullAccess policy
  • Enforce removal of AWS IAM users
  • Enforce removal of AdministratorAccess policy for AWS IAM
  • Enforce removal of expired AWS IAM server certificates
  • Enforce removal of login profiles for AWS IAM users
  • Enforce rotation of AWS IAM access keys every 90 days
  • Enforce secure Network ACL configurations denying public access to admin ports for AWS VPC Network ACLs
  • Enforce secure security group configurations denying public access to admin ports for AWS VPC security groups
  • Enforce single active access key per AWS IAM user
  • Enforce versioning for AWS S3 buckets
  • Prevent IAM policies with wildcard actions via Guard
  • Prevent IAM policies with wildcard actions via Lambda
  • Prevent IAM policies with wildcard actions via proactive control
  • Prevent S3 buckets without versioning via Guard
  • Prevent S3 buckets without versioning via Lambda
  • Prevent S3 buckets without versioning via proactive control
  • Prevent creation of AWS EC2 instances with IMDSv1 via Guard
  • Prevent creation of AWS EC2 instances with IMDSv1 via Lambda
  • Prevent public S3 bucket creation via Guard
  • Prohibit IAM Customer Managed Policies with Wildcard Service Actions
  • Prohibit IAM Inline Policies with Administrative Wildcard Permissions
  • Prohibit IAM Managed Policies with Administrative Wildcard Permissions
  • Require AWS CloudHSM key origin for AWS KMS keys
  • Require AWS IAM privileged role permission boundaries
  • Require AWS KMS grants only for AWS services
  • Require Block Public Access for S3 Buckets
  • Require Encryption for EBS Volumes
  • Require Encryption for Launch Template EBS Volumes
  • Require IMDSv2 for AWS EC2 instances
  • Require MFA for AWS IAM root user actions
  • Require MFA for AWS IAM user actions
  • Require MFA for AWS S3 bucket versioning configuration changes
  • Require MFA for AWS SSM Session Manager
  • Require MFA for delete actions on S3 buckets
  • Require RSA key length greater than 2048 bits for AWS KMS asymmetric keys
  • Require Server Side Encryption for S3 Buckets
  • Require VPC endpoints for AWS DynamoDB access
  • Require VPC endpoints for AWS S3 access
  • Require all object uploads to AWS S3 buckets to use server-side encryption with an AWS KMS key (SSE-KMS)
  • Require an AWS EBS snapshot to be created from an encrypted EC2 volume
  • Require approved AMI sources for AWS EC2 instances
  • Require approved AWS Marketplace subscriptions
  • Require approved sources for AWS ECR container registry
  • Require approved sources for AWS Lambda layers
  • Require attribute-based access control for AWS IAM sensitive data access
  • Require bypass policy lockout safety check for AWS KMS keys
  • Require code signing for AWS Lambda functions
  • Require external key store key origin for AWS KMS keys
  • Require imported key material for AWS KMS keys
  • Require organization accounts for AWS STS assume role
  • Require organization-only access for AWS KMS resources
  • Require that AWS EBS direct APIs are not called
  • Require that an AWS EBS snapshot cannot be publicly restorable
  • Require that an attached AWS EBS volume is configured to encrypt data at rest
  • Set IMDSv2 defaults for AWS EC2 instances
  • Set comprehensive password policy for AWS IAM
  • Set minimum password length for AWS IAM password policy
  • Set password reuse prevention for AWS IAM password policy