Updated on 2024-06-21 GMT+08:00

Virtual Private Cloud (VPC)

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permission to that member account or OU. Instead, the SCPs determine what permissions are available for that member account or the member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by VPC, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by VPC, see Conditions.

The following table lists the actions that you can define in SCP statements for VPC.

Table 1 Actions supported by VPC

Action

Description

Access Level

Resource Type (*: Required)

Condition Key

vpc:vpcs:create

Grants permission to create a VPC.

write

vpc *

-

-

  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

vpc:vpcs:get

Grants permission to query VPC details.

read

vpc *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId

vpc:vpcs:list

Grants permission to query VPCs.

list

vpc *

-

-

g:EnterpriseProjectId

vpc:vpcs:update

Grants permission to modify a VPC.

write

vpc *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId

vpc:vpcs:delete

Grants permission to delete a VPC.

write

vpc *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId

vpc:subnets:create

Grants permission to create a subnet.

write

subnet *

-

vpc *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

vpc:subnets:get

Grants permission to query subnet details.

read

subnet *

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:subnets:list

Grants permission to query subnets.

list

subnet *

-

-

g:EnterpriseProjectId

vpc:subnets:update

Grants permission to modify a subnet.

write

subnet *

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:subnets:delete

Grants permission to delete a subnet.

write

subnet *

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:quotas:list

Grants permission to query quotas.

list

-

-

vpc:privateIps:create

Grants permission to assign a private IP address.

write

privateIp *

-

subnet *

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId

vpc:privateIps:get

Grants permission to query the details of a private IP address.

read

privateIp *

  • vpc:PrivateIpId
  • vpc:SubnetId

vpc:privateIps:list

Grants permission to query private IP addresses.

list

privateIp *

-

vpc:privateIps:delete

Grants permission to release a private IP address.

write

privateIp *

  • vpc:PrivateIpId
  • vpc:SubnetId

vpc:securityGroups:create

Grants permission to create a security group.

write

securityGroup *

-

-

g:EnterpriseProjectId

vpc:securityGroups:get

Grants permission to query the details of a security group.

read

securityGroup *

  • g:EnterpriseProjectId
  • vpc:SecurityGroupId

vpc:securityGroups:list

Grants permission to query security groups.

list

securityGroup *

-

-

g:EnterpriseProjectId

vpc:securityGroups:update

Grants permission to modify a security group.

write

securityGroup *

  • g:EnterpriseProjectId
  • vpc:SecurityGroupId

vpc:securityGroups:delete

Grants permission to delete a security group.

write

securityGroup *

  • g:EnterpriseProjectId
  • vpc:SecurityGroupId

vpc:securityGroupRules:create

Grants permission to create a security group rule.

write

securityGroupRule *

-

securityGroup *

  • g:EnterpriseProjectId
  • vpc:SecurityGroupId

vpc:securityGroupRules:get

Grants permission to query the details of a security group rule.

read

securityGroupRule *

  • g:EnterpriseProjectId
  • vpc:SecurityGroupId

vpc:securityGroupRules:list

Grants permission to query security group rules.

list

-

g:EnterpriseProjectId

vpc:securityGroupRules:update

Grants permission to modify a security group rule.

write

securityGroupRule *

  • g:EnterpriseProjectId
  • vpc:SecurityGroupId

vpc:securityGroupRules:delete

Grants permission to delete a security group rule.

write

securityGroupRule *

  • g:EnterpriseProjectId
  • vpc:SecurityGroupId

vpc:ports:create

Grants permission to create a port.

write

port *

-

subnet *

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:ports:get

Grants permission to query port details.

read

port *

  • vpc:SubnetId
  • vpc:PortId
  • g:EnterpriseProjectId

vpc:ports:list

Grants permission to query ports.

list

port *

-

-

g:EnterpriseProjectId

vpc:ports:update

Grants permission to modify a port.

write

port *

  • vpc:SubnetId
  • vpc:PortId
  • g:EnterpriseProjectId

vpc:ports:delete

Grants permission to delete a port.

write

port *

  • vpc:SubnetId
  • vpc:PortId
  • g:EnterpriseProjectId

vpc:peerings:create

Grants permission to create a VPC peering connection.

write

peering *

  • vpc:AccepterVpcId
  • vpc:RequesterVpcId
  • vpc:AccepterVpcOrgPath
  • vpc:AccepterVpcOwner

vpc *

  • g:ResourceTag/<tag-key>
  • vpc:VpcId

vpc:peerings:get

Grants permission to query the details of a VPC peering connection.

read

peering *

  • vpc:AccepterVpcId
  • vpc:RequesterVpcId
  • vpc:PeeringId

vpc:peerings:list

Grants permission to query VPC peering connections.

list

peering *

-

vpc:peerings:accept

Grants permission to accept a VPC peering connection.

write

peering *

  • vpc:AccepterVpcId
  • vpc:RequesterVpcId
  • vpc:PeeringId
  • vpc:RequesterVpcOrgPath
  • vpc:RequesterVpcOwner

vpc:peerings:reject

Grants permission to reject a VPC peering connection.

write

peering *

  • vpc:AccepterVpcId
  • vpc:RequesterVpcId
  • vpc:PeeringId

vpc:peerings:update

Grants permission to modify a VPC peering connection.

write

peering *

  • vpc:AccepterVpcId
  • vpc:RequesterVpcId
  • vpc:PeeringId

vpc:peerings:delete

Grants permission to delete a VPC peering connection.

write

peering *

  • vpc:AccepterVpcId
  • vpc:RequesterVpcId
  • vpc:PeeringId

vpc:routeTables:create

Grants permission to create a route table.

write

routeTable *

-

vpc *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId

vpc:routeTables:get

Grants permission to query route table details.

read

routeTable *

  • vpc:RouteTableId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:routeTables:list

Grants permission to query route tables.

list

routeTable *

-

-

g:EnterpriseProjectId

vpc:routeTables:update

Grants permission to modify a route table.

write

routeTable *

  • vpc:RouteTableId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:routeTables:associate

Grants permission to associate a route table.

write

routeTable *

  • vpc:RouteTableId
  • vpc:VpcId

subnet *

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:routeTables:delete

Grants permission to delete a route table.

write

routeTable *

  • vpc:RouteTableId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:flowLogs:create

Grants permission to create a VPC flow log.

write

flowLog *

-

port

vpc:PortId

subnet

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId

vpc

  • g:ResourceTag/<tag-key>
  • vpc:VpcId

vpc:flowLogs:get

Grants permission to query VPC flow logs or their details.

read

flowLog *

vpc:FlowLogId

vpc:flowLogs:list

Grants permission to query VPC flow logs.

read

flowLog *

-

vpc:flowLogs:update

Grants permission to modify a VPC flow log.

write

flowLog *

vpc:FlowLogId

vpc:flowLogs:delete

Grants permission to delete a VPC flow log.

write

flowLog *

vpc:FlowLogId

vpc:addressGroups:create

Grants permission to create an IP address group.

write

addressGroup *

-

-

  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

vpc:addressGroups:get

Grants permission to query the details of an IP address group.

read

addressGroup *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:AddressGroupId

vpc:addressGroups:list

Grants permission to query IP address groups.

list

addressGroup *

-

-

g:EnterpriseProjectId

vpc:addressGroups:update

Grants permission to modify an IP address group.

write

addressGroup *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:AddressGroupId

vpc:addressGroups:delete

Grants permission to delete an IP address group.

write

addressGroup *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:AddressGroupId

vpc:firewalls:create

Grants permission to create a network ACL.

write

firewall *

-

-

  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

vpc:firewalls:get

Grants permission to query the details of a network ACL.

read

firewall *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:FirewallId

vpc:firewalls:list

Grants permission to query network ACLs.

list

firewall *

-

-

g:EnterpriseProjectId

vpc:firewalls:update

Grants permission to modify a network ACL.

write

firewall *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:FirewallId
  • vpc:FirewallRuleDirection
  • vpc:FirewallRuleProtocol
  • vpc:FirewallRuleAction
  • vpc:FirewallRuleSourcePort
  • vpc:FirewallRuleDestinationPort
  • vpc:FirewallOperationType

subnet

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId
  • g:EnterpriseProjectId

vpc:firewalls:delete

Grants permission to delete a network ACL.

write

firewall *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:FirewallId

vpc:vpcs:createTags

Grants permission to add tags to a VPC.

tagging

vpc *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

vpc:vpcs:listTags

Grants permission to query VPC tags.

read

vpc *

-

vpc:vpcs:deleteTags

Grants permission to delete tags from a VPC.

tagging

vpc *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId

-

g:TagKeys

vpc:subnets:createTags

Grants permission to add tags to a subnet.

tagging

subnet *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId
  • vpc:SubnetId

-

  • g:RequestTag/<tag-key>
  • g:TagKeys

vpc:subnets:listTags

Grants permission to query subnet tags.

read

subnet *

-

vpc:subnets:deleteTags

Grants permission to delete tags from a subnet.

tagging

subnet *

  • g:EnterpriseProjectId
  • g:ResourceTag/<tag-key>
  • vpc:VpcId
  • vpc:SubnetId

-

g:TagKeys

vpc:subNetworkInterfaces:create

Grants permission to create supplementary network interfaces.

write

subNetworkInterface *

-

subnet *

  • g:ResourceTag/<tag-key>
  • vpc:SubnetId
  • vpc:VpcId

vpc:subNetworkInterfaces:get

Grants permission to query the details of a supplementary network interface.

read

subNetworkInterface *

  • vpc:SubnetId
  • vpc:SubNetworkInterfaceId

vpc:subNetworkInterfaces:list

Grants permission to query supplementary network interfaces.

list

subNetworkInterface *

-

vpc:subNetworkInterfaces:update

Grants permission to modify a supplementary network interface.

write

subNetworkInterface *

  • vpc:SubnetId
  • vpc:SubNetworkInterfaceId

vpc:subNetworkInterfaces:delete

Grants permission to delete a supplementary network interface.

write

subNetworkInterface *

  • vpc:SubnetId
  • vpc:SubNetworkInterfaceId

vpc:networks:create

Grants permission to create a network.

write

network *

-

vpc:networks:get

Grants permission to query network details.

read

network *

-

vpc:networks:list

Grants permission to query networks.

list

network *

-

vpc:networks:update

Grants permission to update a network.

write

network *

-

vpc:networks:delete

Grants permission to delete a network.

write

addressGroup *

-

Each API of VPC usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by VPC APIs

API

Action

Dependencies

POST /v1/{project_id}/vpcs

vpc:vpcs:create

-

GET /v1/{project_id}/vpcs/{vpc_id}

vpc:vpcs:get

-

GET /v1/{project_id}/vpcs

vpc:vpcs:list

-

PUT /v1/{project_id}/vpcs/{vpc_id}

vpc:vpcs:update

-

DELETE /v1/{project_id}/vpcs/{vpc_id}

vpc:vpcs:delete

-

POST /v1/{project_id}/subnets

vpc:subnets:create

-

GET /v1/{project_id}/subnets/{subnet_id}

vpc:subnets:get

-

GET /v1/{project_id}/subnets

vpc:subnets:list

-

PUT /v1/{project_id}/vpcs/{vpc_id}/subnets/{subnet_id}

vpc:subnets:update

-

DELETE /v1/{project_id}/vpcs/{vpc_id}/subnets/{subnet_id}

vpc:subnets:delete

-

GET /v1/{project_id}/quotas

vpc:quotas:list

-

POST /v1/{project_id}/privateips

vpc:privateIps:create

-

GET /v1/{project_id}/privateips/{privateip_id}

vpc:privateIps:get

-

GET /v1/{project_id}/subnets/{subnet_id}/privateips

vpc:privateIps:list

-

DELETE /v1/{project_id}/privateips/{privateip_id}

vpc:privateIps:delete

-

POST /v1/{project_id}/security-groups

vpc:securityGroups:create

-

GET /v1/{project_id}/security-groups/{security_group_id}

vpc:securityGroups:get

-

GET /v1/{project_id}/security-groups

vpc:securityGroups:list

-

DELETE /v1/{project_id}/security-groups/{security_group_id}

vpc:securityGroups:delete

-

POST /v1/{project_id}/security-group-rules

vpc:securityGroupRules:create

-

GET /v1/{project_id}/security-group-rules/{security_group_rule_id}

vpc:securityGroupRules:get

-

GET /v1/{project_id}/security-group-rules

vpc:securityGroupRules:list

-

DELETE /v1/{project_id}/security-group-rules/{security_group_rule_id}

vpc:securityGroupRules:delete

-

POST /v1/{project_id}/ports

vpc:ports:create

-

GET /v1/{project_id}/ports/{port_id}

vpc:ports:get

-

GET /v1/{project_id}/ports

vpc:ports:list

-

PUT /v1/{project_id}/ports/{port_id}

vpc:ports:update

-

DELETE /v1/{project_id}/ports/{port_id}

vpc:ports:delete

-

POST /v2.0/vpc/peerings

vpc:peerings:create

-

PUT /v2.0/vpc/peerings/{peering_id}/accept

vpc:peerings:accept

-

PUT /v2.0/vpc/peerings/{peering_id}/reject

vpc:peerings:reject

-

GET /v2.0/vpc/peerings/{peering_id}

vpc:peerings:get

-

GET /v2.0/vpc/peerings

vpc:peerings:list

-

PUT /v2.0/vpc/peerings/{peering_id}

vpc:peerings:update

-

DELETE /v2.0/vpc/peerings/{peering_id}

vpc:peerings:delete

-

POST /v1/{project_id}/routetables

vpc:routeTables:create

-

GET /v1/{project_id}/routetables/{routetable_id}

vpc:routeTables:get

-

GET /v1/{project_id}/routetables

vpc:routeTables:list

-

PUT /v1/{project_id}/routetables/{routetable_id}

vpc:routeTables:update

-

POST /v1/{project_id}/routetables/{routetable_id}/action

vpc:routeTables:associate

-

POST 01 /v1/{project_id}/routetables/{routetable_id}/action

vpc:routeTables:associate

-

DELETE /v1/{project_id}/routetables/{routetable_id}

vpc:routeTables:delete

-

POST /v1/{project_id}/fl/flow_logs

vpc:flowLogs:create

-

GET /v1/{project_id}/fl/flow_logs/{flowlog_id}

vpc:flowLogs:get

-

GET /v1/{project_id}/fl/flow_logs

vpc:flowLogs:list

-

PUT /v1/{project_id}/fl/flow_logs/{flowlog_id}

vpc:flowLogs:update

-

DELETE /v1/{project_id}/fl/flow_logs/{flowlog_id}

vpc:flowLogs:delete

-

PUT /v3/{project_id}/vpc/vpcs/{vpc_id}/add-extend-cidr

vpc:vpcs:update

-

PUT /v3/{project_id}/vpc/vpcs/{vpc_id}/remove-extend-cidr

vpc:vpcs:update

-

PUT /v3/{project_id}/vpc/security-groups/{security_group_id}

vpc:securityGroups:update

-

POST /v3/{project_id}/vpc/address-groups

vpc:addressGroups:create

-

GET /v3/{project_id}/vpc/address-groups/{address_group_id}

vpc:addressGroups:get

-

GET /v3/{project_id}/vpc/address-groups

vpc:addressGroups:list

-

PUT /v3/{project_id}/vpc/address-groups/{address_group_id}

vpc:addressGroups:update

-

DELETE /v3/{project_id}/vpc/address-groups/{address_group_id}

vpc:addressGroups:delete

-

DELETE /v3/{project_id}/vpc/address-groups/{address_group_id}/force

vpc:addressGroups:delete

-

POST /v2.0/{project_id}/vpcs/{vpc_id}/tags/action

vpc:vpcs:createTags

-

POST 01 /v2.0/{project_id}/vpcs/{vpc_id}/tags/action

vpc:vpcs:deleteTags

-

POST /v2.0/{project_id}/vpcs/{vpc_id}/tags

vpc:vpcs:createTags

-

POST /v2.0/{project_id}/vpcs/resource_instances/action

vpc:vpcs:listTags

-

GET /v2.0/{project_id}/vpcs/tags

vpc:vpcs:listTags

-

GET /v2.0/{project_id}/vpcs/{vpc_id}/tags

vpc:vpcs:listTags

-

DELETE /v2.0/{project_id}/vpcs/{vpc_id}/tags/{key}

vpc:vpcs:deleteTags

-

POST 01 /v2.0/{project_id}/subnets/{subnet_id}/tags/action

vpc:subnets:createTags

-

POST /v2.0/{project_id}/subnets/{subnet_id}/tags/action

vpc:subnets:deleteTags

-

POST /v2.0/{project_id}/subnets/{subnet_id}/tags

vpc:subnets:createTags

-

POST /v2.0/{project_id}/subnets/resource_instances/action

vpc:subnets:listTags

-

GET /v2.0/{project_id}/subnets/tags

vpc:subnets:listTags

-

GET /v2.0/{project_id}/subnets/{subnet_id}/tags

vpc:subnets:listTags

-

DELETE /v2.0/{project_id}/subnets/{subnet_id}/tags/{key}

vpc:subnets:deleteTags

-

POST /v3/{project_id}/vpc/sub-network-interfaces

vpc:subNetworkInterfaces:create

-

POST /v3/{project_id}/vpc/sub-network-interfaces/batch-create

vpc:subNetworkInterfaces:create

-

GET /v3/{project_id}/vpc/sub-network-interfaces/{sub_network_interface_id}

vpc:subNetworkInterfaces:get

-

GET /v3/{project_id}/vpc/sub-network-interfaces

vpc:subNetworkInterfaces:list

-

GET /v3/{project_id}/vpc/sub-network-interfaces/count

vpc:subNetworkInterfaces:list

-

PUT /v3/{project_id}/vpc/sub-network-interfaces/migrate

vpc:subNetworkInterfaces:update

-

PUT /v3/{project_id}/vpc/sub-network-interfaces/{sub_network_interface_id}

vpc:subNetworkInterfaces:update

-

DELETE /v3/{project_id}/vpc/sub-network-interfaces/{sub_network_interface_id}

vpc:subNetworkInterfaces:delete

-

Resources

A resource type indicates the resources that an SCP is applied. If you specify a resource type for any action in Table 3, a resource URN must be specified in the SCP policy statements using that action, and the SCP policy applies only to the resource. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP policy applies to all resources. You can also set condition keys in an SCP to define resource types.

The following table lists the resource types that you can define in SCP statements statements for VPC.

Table 3 Resource types supported by VPC

Resource Type

URN

vpc

vpc:<region>:<account-id>:vpc:<vpc-id>

subnet

vpc:<region>:<account-id>:subnet:<subnet-id>

privateIp

vpc:<region>:<account-id>:privateIp:<private-ip-id>

securityGroup

vpc:<region>:<account-id>:securityGroup:<security-group-id>

securityGroupRule

vpc:<region>:<account-id>:securityGroupRule:<security-group-rule-id>

port

vpc:<region>:<account-id>:port:<port-id>

peering

vpc:<region>:<account-id>:peering:<peering-id>

routeTable

vpc:<region>:<account-id>:routeTable:<route-table-id>

flowLog

vpc:<region>:<account-id>:flowLog:<flow-log-id>

addressGroup

vpc:<region>:<account-id>:addressGroup:<address-group-id>

firewall

vpc:<region>:<account-id>:firewall:<firewall-id>

publicip

vpc:<region>:<account-id>:publicip:<publicip-id>

bandwidth

vpc:<region>:<account-id>:bandwidth:<bandwidth-id>

network

vpc:<region>:<account-id>:network:<network-id>

Conditions

A Condition element lets you specify conditions for when an SCP is in effect. It contains condition keys and operators.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
    • Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, vpc: apply only to operations on VPC. For details, see Table 4.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An SCP can be applied only when its request conditions are met. For supported condition operators, see Condition operators.

The following table lists the condition keys that you can define in SCPs for VPC. You can include these condition keys to specify conditions for when your SCP is in effect.

Table 4 Service-specific condition keys supported by VPC

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

vpc:VpcId

string

Multivalued

Filters accesses by VPC ID.

vpc:SubnetId

string

Multivalued

Filters accesses by subnet ID.

vpc:SecurityGroupId

string

Multivalued

Filters accesses by security group ID.

vpc:PeeringId

string

Multivalued

Filters accesses by peering connection ID.

vpc:AccepterVpcId

string

Multivalued

Filters accesses by the ID of the VPC owned by the specified recipient.

vpc:AccepterVpcOrgPath

string

Multivalued

Filters accesses by the organization path of the specified recipient of the VPC peering connection.

vpc:AccepterVpcOwner

string

Multivalued

Filters accesses by the account ID of the specified recipient of the VPC peering connection.

vpc:RequesterVpcOrgPath

string

Multivalued

Filters accesses by the organization path of the specified requester of the VPC peering connection.

vpc:RequesterVpcOwner

string

Multivalued

Filters accesses by the account ID of the specified requester of the VPC peering connection.

vpc:RequesterVpcId

string

Multivalued

Filters accesses by the ID of the VPC owned by the specified requester.

vpc:RouteTableId

string

Multivalued

Filters accesses by route table ID.

vpc:FlowLogId

string

Multivalued

Filters accesses by flow log ID.

vpc:AddressGroupId

string

Multivalued

Filters accesses by IP address group ID.

vpc:FirewallId

string

Multivalued

Filters accesses by network ACL ID.

vpc:PrivateIpId

string

Multivalued

Filters accesses by private IP address ID.

vpc:PortId

string

Multivalued

Filters accesses by port ID.

vpc:FirewallRuleDirection

string

Multivalued

Filters accesses by network ACL rule. The value can be ingress or egress.

vpc:FirewallRuleProtocol

string

Multivalued

Filters accesses by network ACL protocol. The value can be TCP, UDP, ICMP, ICMPv6, or Any.

vpc:FirewallRuleAction

string

Multivalued

Filters accesses by network ACL policy. The value can be Allow or Deny.

vpc:FirewallRuleSourcePort

numeric

Multivalued

Filters accesses by source port specified in the network ACL rule.

vpc:FirewallRuleDestinationPort

numeric

Multivalued

Filters accesses by destination port specified in the network ACL rule.

vpc:FirewallOperationType

string

Multivalued

Filters accesses by network ACL operation type. The value can be updateAcl, associateSubnet, disassociateSubnet, insertRule, updateRule, or removeRule.