~wombelix/aws-organizations-policies

c13b2d03b1ea77f673b36474c2446d3d7c8c608e — Dominik Wombacher 4 months ago 760f196 main
feat: Initial version of Policies created and applied via AWS Organizations
A ai-opt-out/OptOutAllAIServices.json => ai-opt-out/OptOutAllAIServices.json +15 -0
@@ 0,0 1,15 @@
{
  "services": {
    "default": {
      "@@operators_allowed_for_child_policies": [
        "@@none"
      ],
      "opt_out_policy": {
        "@@operators_allowed_for_child_policies": [
          "@@none"
        ],
        "@@assign": "optOut"
      }
    }
  }
}

A ai-opt-out/OptOutAllAIServices.txt => ai-opt-out/OptOutAllAIServices.txt +4 -0
@@ 0,0 1,4 @@
Name: OptOutAllAIServices
Policy type: AI services opt-out policy (customer managed)
Description: Out-Out by default, allow child OUs to override. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html#ai-opt-out-policy-examples
Targets: root

A scp/AWSSSODenyMemberAccountInstances.json => scp/AWSSSODenyMemberAccountInstances.json +13 -0
@@ 0,0 1,13 @@
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyMemberAccountInstances",
      "Effect": "Deny",
      "Action": [
        "sso:CreateInstance"
      ],
      "Resource": "*"
    }
  ]
}

A scp/AWSSSODenyMemberAccountInstances.txt => scp/AWSSSODenyMemberAccountInstances.txt +4 -0
@@ 0,0 1,4 @@
Name: AWSSSODenyMemberAccountInstances
Policy type: Service control policy (customer managed)
Description: Prevent creation of new account instances of IAM Identity Center
Targets: Root

A scp/DenyAllResourcesOutsideEU.json => scp/DenyAllResourcesOutsideEU.json +59 -0
@@ 0,0 1,59 @@
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllOutsideEU",
      "Effect": "Deny",
      "NotAction": [
        "a4b:*",
        "aws-marketplace-management:*",
        "aws-marketplace:*",
        "aws-portal:*",
        "budgets:*",
        "ce:*",
        "chime:*",
        "cloudfront:*",
        "config:*",
        "cur:*",
        "directconnect:*",
        "ec2:DescribeRegions",
        "ec2:DescribeTransitGateways",
        "ec2:DescribeVpnGateways",
        "fms:*",
        "globalaccelerator:*",
        "health:*",
        "iam:*",
        "importexport:*",
        "mobileanalytics:*",
        "networkmanager:*",
        "organizations:*",
        "pricing:*",
        "route53:*",
        "route53domains:*",
        "route53-recovery-cluster:*",
        "route53-recovery-control-config:*",
        "route53-recovery-readiness:*",
        "s3:GetAccountPublic*",
        "s3:ListAllMyBuckets",
        "s3:ListMultiRegionAccessPoints",
        "s3:PutAccountPublic*",
        "shield:*",
        "support:*",
        "trustedadvisor:*",
        "waf-regional:*",
        "waf:*",
        "wafv2:*",
        "wellarchitected:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "eu-central-1",
            "eu-west-1"
          ]
        }
      }
    }
  ]
}

A scp/DenyAllResourcesOutsideEU.txt => scp/DenyAllResourcesOutsideEU.txt +4 -0
@@ 0,0 1,4 @@
Name: DenyAllResourcesOutsideEU
Policy type: Service control policy (customer managed)
Description: Except global services, deny all resource creation in Regions outside eu-central-1 and eu-west-1.
Targets: Root

A scp/RootUserDenyAllExceptActionsThatRequireRootAccess.json => scp/RootUserDenyAllExceptActionsThatRequireRootAccess.json +19 -0
@@ 0,0 1,19 @@
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "NotAction": [
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy",
        "s3:DeleteBucketPolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

A scp/RootUserDenyAllExceptActionsThatRequireRootAccess.txt => scp/RootUserDenyAllExceptActionsThatRequireRootAccess.txt +4 -0
@@ 0,0 1,4 @@
Name: RootUserDenyAllExceptActionsThatRequireRootAccess
Policy type: Service control policy (customer managed)
Description: SCP to restrict root user in your member accounts. https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#bp_member-acct_use-scp
Targets: All OUs below Root