To block the ec2:Describe* action for a specific IAM role, you can create and attach a Service Control Policy (SCP) to an AWS account, Organizational Unit (OU), or the root of your AWS Organization. This… Blocking EC2: Describe* Actions via an SCP