Using Amazon service control policy to restrict Amazon Workspaces with encypted volumes


I'm trying to create a service control policy to restrict creating Amazon Workspaces only with encrypted volumes. For example:

	"Effect": "Deny",
	"Action": [
	"Condition": {
		"ForAnyValues:Bool": [
		        {"workspaces:UserVolumeEncryptionEnabled": "false"},
	            {"workspaces:RootVolumeEncryptionEnabled": "false"}
	"Resource": [

However, the service control policy editor gives me an error: "The provided policy document does not meet the requirements of the specified policy type." Why is this happening?

asked 2 years ago46 views
1 Answer
Accepted Answer

Amazon WorkSpaces doesn't have any service level condition keys that you can use with a service control policy. Therefore, specifying the "workspaces:userVolumeEncryptionEnabled" as a condition in your policy will cause an error. For more information, see Specify WorkSpaces resources in an IAM policy.

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions