{
  "_comment": "Example Resource Control Policy (RCP) for an org-wide S3 data perimeter. Attach to the org root or an OU. RCPs bound what can be done TO a resource, including by external principals, regardless of the bucket policy. Test in a NON-PROD OU first and review CloudTrail Access Denied before attaching to root. RCPs do not affect the management account. Replace o-EXAMPLE with your org ID. Verify current RCP-supported services in the AWS Organizations User Guide before relying on this.",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceOrgIdentityPerimeterOnS3",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "aws:PrincipalOrgID": "o-EXAMPLE"
        },
        "BoolIfExists": {
          "aws:PrincipalIsAWSService": "false"
        }
      }
    },
    {
      "Sid": "RequireTLSForS3",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:*"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}