# 禁用不使用的服务和区域

在云上建议禁用不使用的服务和区域，主要是出于以下几个原因：

1. **提高安全性**：禁用不使用的云服务和区域可以减少潜在的攻击面，降低数据泄露和未授权访问的风险。
2. **节省成本**：通过停用未使用的服务，企业可以避免不必要的费用，优化资源使用，实现成本效益。
3. **简化管理**：减少管理的云服务数量有助于简化监控和维护工作，提高整体的运维效率。

## 添加SCP禁用不使用的服务和区域

1. 识别常用的服务和区域

通过Cost Explorer可以知道自己使用了哪些服务，哪些区域，不使用的服务和区域就可以通过SCP进行禁用。

2. 添加SCP禁用不使用的服务和区域

添加[SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html?icmpid=docs_orgs_console)到你的账户或者组织上，参考文档进行配置：<https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region>

修改里面的服务和区域为自己要使用的，没有指明的就会被禁用：

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideEU",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-marketplace:*",
                "aws-portal:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "config:*",
                "cur:*",
                "directconnect:*",
                "ec2:DescribeRegions",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnGateways",
                "fms:*",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "kms:*",
                "mobileanalytics:*",
                "networkmanager:*",
                "organizations:*",
                "pricing:*",
                "route53:*",
                "route53domains:*",
                "route53-recovery-cluster:*",
                "route53-recovery-control-config:*",
                "route53-recovery-readiness:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "s3:ListMultiRegionAccessPoints",
                "s3:PutAccountPublic*",
                "shield:*",
                "sts:*",
                "support:*",
                "trustedadvisor:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1"
                    ]
                },
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
                        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
                    ]
                }
            }
        }
    ]
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://aws-gcr-wwso-security.gitbook.io/an-quan-zui-jia-shi-jian/1.-iam-shen-fen-shi-bie-yu-fang-wen-kong-zhi/privileged-access-management-te-quan-fang-wen-guan-li/jin-yong-bu-shi-yong-de-fu-wu-he-qu-yu.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.