atheiman/restrict-subnet-usage.scp.json

## restrict-subnet-usage.scp.json
{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect":"Deny",
      "Action": [
        "ec2:AssociateClientVpnTargetNetwork",
        "ec2:AssociateRouteTable",
        "ec2:AssociateSubnetCidrBlock",
        "ec2:AssociateTransitGatewayMulticastDomain",
        "ec2:CreateClientVpnRoute",
        "ec2:CreateFleet",
        "ec2:CreateFlowLogs",
        "ec2:CreateInstanceConnectEndpoint",
        "ec2:CreateNatGateway",
        "ec2:CreateNetworkInterface",
        "ec2:CreateSubnet",
        "ec2:CreateTags",
        "ec2:CreateTransitGatewayVpcAttachment",
        "ec2:CreateVerifiedAccessEndpoint",
        "ec2:CreateVpcEndpoint",
        "ec2:DeleteClientVpnRoute",
        "ec2:DeleteSubnet",
        "ec2:DeleteTags",
        "ec2:DisassociateRouteTable",
        "ec2:DisassociateSubnetCidrBlock",
        "ec2:DisassociateTransitGatewayMulticastDomain",
        "ec2:ImportInstance",
        "ec2:ModifyFleet",
        "ec2:ModifySpotFleetRequest",
        "ec2:ModifySubnetAttribute",
        "ec2:ModifyTransitGatewayVpcAttachment",
        "ec2:ModifyVerifiedAccessEndpoint",
        "ec2:ModifyVpcEndpoint",
        "ec2:ReplaceNetworkAclAssociation",
        "ec2:ReplaceRouteTableAssociation",
        "ec2:RequestSpotFleet",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances"
      ],
      "Resource":"arn:aws:ec2:*:*:subnet/*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/SubnetFunction": [
            "TransitGatewayAttachment",
            "GatewayLoadBalancerEndpoint"
          ]
        },
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/AWSControlTowerExecution",
            "arn:aws:iam::*:role/OrganizationAccountAccessRole"
          ]
        }
      }
    }
  ]
}
	{
	"Version":"2012-10-17",
	"Statement": [
	{
	"Effect":"Deny",
	"Action": [
	"ec2:AssociateClientVpnTargetNetwork",
	"ec2:AssociateRouteTable",
	"ec2:AssociateSubnetCidrBlock",
	"ec2:AssociateTransitGatewayMulticastDomain",
	"ec2:CreateClientVpnRoute",
	"ec2:CreateFleet",
	"ec2:CreateFlowLogs",
	"ec2:CreateInstanceConnectEndpoint",
	"ec2:CreateNatGateway",
	"ec2:CreateNetworkInterface",
	"ec2:CreateSubnet",
	"ec2:CreateTags",
	"ec2:CreateTransitGatewayVpcAttachment",
	"ec2:CreateVerifiedAccessEndpoint",
	"ec2:CreateVpcEndpoint",
	"ec2:DeleteClientVpnRoute",
	"ec2:DeleteSubnet",
	"ec2:DeleteTags",
	"ec2:DisassociateRouteTable",
	"ec2:DisassociateSubnetCidrBlock",
	"ec2:DisassociateTransitGatewayMulticastDomain",
	"ec2:ImportInstance",
	"ec2:ModifyFleet",
	"ec2:ModifySpotFleetRequest",
	"ec2:ModifySubnetAttribute",
	"ec2:ModifyTransitGatewayVpcAttachment",
	"ec2:ModifyVerifiedAccessEndpoint",
	"ec2:ModifyVpcEndpoint",
	"ec2:ReplaceNetworkAclAssociation",
	"ec2:ReplaceRouteTableAssociation",
	"ec2:RequestSpotFleet",
	"ec2:RequestSpotInstances",
	"ec2:RunInstances"
	],
	"Resource":"arn:aws:ec2:::subnet/*",
	"Condition": {
	"StringEquals": {
	"ec2:ResourceTag/SubnetFunction": [
	"TransitGatewayAttachment",
	"GatewayLoadBalancerEndpoint"
	]
	},
	"StringNotLike": {
	"aws:PrincipalArn": [
	"arn:aws:iam::*:role/AWSControlTowerExecution",
	"arn:aws:iam::*:role/OrganizationAccountAccessRole"
	]
	}
	}
	}
	]
	}