A ai-opt-out/OptOutAllAIServices.json => ai-opt-out/OptOutAllAIServices.json +15 -0
@@ 0,0 1,15 @@
+{
+ "services": {
+ "default": {
+ "@@operators_allowed_for_child_policies": [
+ "@@none"
+ ],
+ "opt_out_policy": {
+ "@@operators_allowed_for_child_policies": [
+ "@@none"
+ ],
+ "@@assign": "optOut"
+ }
+ }
+ }
+}
A ai-opt-out/OptOutAllAIServices.txt => ai-opt-out/OptOutAllAIServices.txt +4 -0
@@ 0,0 1,4 @@
+Name: OptOutAllAIServices
+Policy type: AI services opt-out policy (customer managed)
+Description: Out-Out by default, allow child OUs to override. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html#ai-opt-out-policy-examples
+Targets: root
A scp/AWSSSODenyMemberAccountInstances.json => scp/AWSSSODenyMemberAccountInstances.json +13 -0
@@ 0,0 1,13 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "DenyMemberAccountInstances",
+ "Effect": "Deny",
+ "Action": [
+ "sso:CreateInstance"
+ ],
+ "Resource": "*"
+ }
+ ]
+}
A scp/AWSSSODenyMemberAccountInstances.txt => scp/AWSSSODenyMemberAccountInstances.txt +4 -0
@@ 0,0 1,4 @@
+Name: AWSSSODenyMemberAccountInstances
+Policy type: Service control policy (customer managed)
+Description: Prevent creation of new account instances of IAM Identity Center
+Targets: Root
A scp/DenyAllResourcesOutsideEU.json => scp/DenyAllResourcesOutsideEU.json +59 -0
@@ 0,0 1,59 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "DenyAllOutsideEU",
+ "Effect": "Deny",
+ "NotAction": [
+ "a4b:*",
+ "aws-marketplace-management:*",
+ "aws-marketplace:*",
+ "aws-portal:*",
+ "budgets:*",
+ "ce:*",
+ "chime:*",
+ "cloudfront:*",
+ "config:*",
+ "cur:*",
+ "directconnect:*",
+ "ec2:DescribeRegions",
+ "ec2:DescribeTransitGateways",
+ "ec2:DescribeVpnGateways",
+ "fms:*",
+ "globalaccelerator:*",
+ "health:*",
+ "iam:*",
+ "importexport:*",
+ "mobileanalytics:*",
+ "networkmanager:*",
+ "organizations:*",
+ "pricing:*",
+ "route53:*",
+ "route53domains:*",
+ "route53-recovery-cluster:*",
+ "route53-recovery-control-config:*",
+ "route53-recovery-readiness:*",
+ "s3:GetAccountPublic*",
+ "s3:ListAllMyBuckets",
+ "s3:ListMultiRegionAccessPoints",
+ "s3:PutAccountPublic*",
+ "shield:*",
+ "support:*",
+ "trustedadvisor:*",
+ "waf-regional:*",
+ "waf:*",
+ "wafv2:*",
+ "wellarchitected:*"
+ ],
+ "Resource": "*",
+ "Condition": {
+ "StringNotEquals": {
+ "aws:RequestedRegion": [
+ "eu-central-1",
+ "eu-west-1"
+ ]
+ }
+ }
+ }
+ ]
+}
A scp/DenyAllResourcesOutsideEU.txt => scp/DenyAllResourcesOutsideEU.txt +4 -0
@@ 0,0 1,4 @@
+Name: DenyAllResourcesOutsideEU
+Policy type: Service control policy (customer managed)
+Description: Except global services, deny all resource creation in Regions outside eu-central-1 and eu-west-1.
+Targets: Root
A scp/RootUserDenyAllExceptActionsThatRequireRootAccess.json => scp/RootUserDenyAllExceptActionsThatRequireRootAccess.json +19 -0
@@ 0,0 1,19 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Deny",
+ "NotAction": [
+ "s3:GetBucketPolicy",
+ "s3:PutBucketPolicy",
+ "s3:DeleteBucketPolicy"
+ ],
+ "Resource": "*",
+ "Condition": {
+ "StringLike": {
+ "aws:PrincipalArn": "arn:aws:iam::*:root"
+ }
+ }
+ }
+ ]
+}
A scp/RootUserDenyAllExceptActionsThatRequireRootAccess.txt => scp/RootUserDenyAllExceptActionsThatRequireRootAccess.txt +4 -0
@@ 0,0 1,4 @@
+Name: RootUserDenyAllExceptActionsThatRequireRootAccess
+Policy type: Service control policy (customer managed)
+Description: SCP to restrict root user in your member accounts. https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#bp_member-acct_use-scp
+Targets: All OUs below Root