From c13b2d03b1ea77f673b36474c2446d3d7c8c608e Mon Sep 17 00:00:00 2001 From: Dominik Wombacher Date: Sun, 12 May 2024 12:59:59 +0200 Subject: [PATCH] feat: Initial version of Policies created and applied via AWS Organizations --- ai-opt-out/OptOutAllAIServices.json | 15 +++++ ai-opt-out/OptOutAllAIServices.txt | 4 ++ scp/AWSSSODenyMemberAccountInstances.json | 13 ++++ scp/AWSSSODenyMemberAccountInstances.txt | 4 ++ scp/DenyAllResourcesOutsideEU.json | 59 +++++++++++++++++++ scp/DenyAllResourcesOutsideEU.txt | 4 ++ ...AllExceptActionsThatRequireRootAccess.json | 19 ++++++ ...yAllExceptActionsThatRequireRootAccess.txt | 4 ++ 8 files changed, 122 insertions(+) create mode 100644 ai-opt-out/OptOutAllAIServices.json create mode 100644 ai-opt-out/OptOutAllAIServices.txt create mode 100644 scp/AWSSSODenyMemberAccountInstances.json create mode 100644 scp/AWSSSODenyMemberAccountInstances.txt create mode 100644 scp/DenyAllResourcesOutsideEU.json create mode 100644 scp/DenyAllResourcesOutsideEU.txt create mode 100644 scp/RootUserDenyAllExceptActionsThatRequireRootAccess.json create mode 100644 scp/RootUserDenyAllExceptActionsThatRequireRootAccess.txt diff --git a/ai-opt-out/OptOutAllAIServices.json b/ai-opt-out/OptOutAllAIServices.json new file mode 100644 index 0000000..8bc36fd --- /dev/null +++ b/ai-opt-out/OptOutAllAIServices.json @@ -0,0 +1,15 @@ +{ + "services": { + "default": { + "@@operators_allowed_for_child_policies": [ + "@@none" + ], + "opt_out_policy": { + "@@operators_allowed_for_child_policies": [ + "@@none" + ], + "@@assign": "optOut" + } + } + } +} diff --git a/ai-opt-out/OptOutAllAIServices.txt b/ai-opt-out/OptOutAllAIServices.txt new file mode 100644 index 0000000..513ab81 --- /dev/null +++ b/ai-opt-out/OptOutAllAIServices.txt @@ -0,0 +1,4 @@ +Name: OptOutAllAIServices +Policy type: AI services opt-out policy (customer managed) +Description: Out-Out by default, allow child OUs to override. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html#ai-opt-out-policy-examples +Targets: root diff --git a/scp/AWSSSODenyMemberAccountInstances.json b/scp/AWSSSODenyMemberAccountInstances.json new file mode 100644 index 0000000..71eff09 --- /dev/null +++ b/scp/AWSSSODenyMemberAccountInstances.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyMemberAccountInstances", + "Effect": "Deny", + "Action": [ + "sso:CreateInstance" + ], + "Resource": "*" + } + ] +} diff --git a/scp/AWSSSODenyMemberAccountInstances.txt b/scp/AWSSSODenyMemberAccountInstances.txt new file mode 100644 index 0000000..f1e7be8 --- /dev/null +++ b/scp/AWSSSODenyMemberAccountInstances.txt @@ -0,0 +1,4 @@ +Name: AWSSSODenyMemberAccountInstances +Policy type: Service control policy (customer managed) +Description: Prevent creation of new account instances of IAM Identity Center +Targets: Root diff --git a/scp/DenyAllResourcesOutsideEU.json b/scp/DenyAllResourcesOutsideEU.json new file mode 100644 index 0000000..ac46672 --- /dev/null +++ b/scp/DenyAllResourcesOutsideEU.json @@ -0,0 +1,59 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllOutsideEU", + "Effect": "Deny", + "NotAction": [ + "a4b:*", + "aws-marketplace-management:*", + "aws-marketplace:*", + "aws-portal:*", + "budgets:*", + "ce:*", + "chime:*", + "cloudfront:*", + "config:*", + "cur:*", + "directconnect:*", + "ec2:DescribeRegions", + "ec2:DescribeTransitGateways", + "ec2:DescribeVpnGateways", + "fms:*", + "globalaccelerator:*", + "health:*", + "iam:*", + "importexport:*", + "mobileanalytics:*", + "networkmanager:*", + "organizations:*", + "pricing:*", + "route53:*", + "route53domains:*", + "route53-recovery-cluster:*", + "route53-recovery-control-config:*", + "route53-recovery-readiness:*", + "s3:GetAccountPublic*", + "s3:ListAllMyBuckets", + "s3:ListMultiRegionAccessPoints", + "s3:PutAccountPublic*", + "shield:*", + "support:*", + "trustedadvisor:*", + "waf-regional:*", + "waf:*", + "wafv2:*", + "wellarchitected:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:RequestedRegion": [ + "eu-central-1", + "eu-west-1" + ] + } + } + } + ] +} diff --git a/scp/DenyAllResourcesOutsideEU.txt b/scp/DenyAllResourcesOutsideEU.txt new file mode 100644 index 0000000..22a9245 --- /dev/null +++ b/scp/DenyAllResourcesOutsideEU.txt @@ -0,0 +1,4 @@ +Name: DenyAllResourcesOutsideEU +Policy type: Service control policy (customer managed) +Description: Except global services, deny all resource creation in Regions outside eu-central-1 and eu-west-1. +Targets: Root diff --git a/scp/RootUserDenyAllExceptActionsThatRequireRootAccess.json b/scp/RootUserDenyAllExceptActionsThatRequireRootAccess.json new file mode 100644 index 0000000..4315b3e --- /dev/null +++ b/scp/RootUserDenyAllExceptActionsThatRequireRootAccess.json @@ -0,0 +1,19 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "NotAction": [ + "s3:GetBucketPolicy", + "s3:PutBucketPolicy", + "s3:DeleteBucketPolicy" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:PrincipalArn": "arn:aws:iam::*:root" + } + } + } + ] +} diff --git a/scp/RootUserDenyAllExceptActionsThatRequireRootAccess.txt b/scp/RootUserDenyAllExceptActionsThatRequireRootAccess.txt new file mode 100644 index 0000000..b791f3e --- /dev/null +++ b/scp/RootUserDenyAllExceptActionsThatRequireRootAccess.txt @@ -0,0 +1,4 @@ +Name: RootUserDenyAllExceptActionsThatRequireRootAccess +Policy type: Service control policy (customer managed) +Description: SCP to restrict root user in your member accounts. https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#bp_member-acct_use-scp +Targets: All OUs below Root -- 2.45.2