Merge pull request #3 from ericstraavaldsen/master

US Region limit with a role that can operate outside the region limit.
cloud · Oct 28, 2019 · 50b711b · 50b711b
2 parents a9f89c8 + da9441f
commit 50b711b
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ A repository of community generated Service control policies (SCPs) and referenc
 - [prevent-deletion-of-service-resources](prevent-deletion-of-service-resources.policy) - Protect various organizational roles and resources curated for service and governance related purposes. 
 
 - [ec2-encrypt-ebs](ec2-encrypt-ebs.policy) - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default    Not setting up a default encryption will generate a difficult to understand error.
+- [us-regions-only-group-exception](us-regions-only-group-exception.policy) - Sets limit to only be able to configure AWS resources in US regions for most users.  It includes an example role that is allowed to opperate in any region.
 
 - [s3-us-only-buckets](s3-us-only-buckets.policy) - Allows creation of an S3 bucket only in the US EAST (us-east-1 or us-east-2) or WEST (us-west-1 or us-west-2) regions.
 

diff --git a/us-regions-only-group-exception.policy b/us-regions-only-group-exception.policy
@@ -0,0 +1,37 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DenyAllOutsideUS",
+            "Effect": "Deny",
+            "NotAction": [
+                "iam:*",
+                "organizations:*",
+                "route53:*",
+                "budgets:*",
+                "waf:*",
+                "cloudfront:*",
+                "globalaccelerator:*",
+                "importexport:*",
+                "support:*",
+                "sts:*"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringNotEquals": {
+                    "aws:RequestedRegion": [
+                        "us-east-1",
+                        "us-east-2",
+                        "us-west-1",
+                        "us-west-2"
+                    ]
+                },
+                "StringNotLike": {
+                    "aws:PrincipalArn": [
+                    "arn:aws:iam::*:role/NetIDSuperAdmistratorAccess",
+                    "arn:aws:iam::*:role/NetIDCloudTeamAccess"]
+                }
+            }
+        }
+    ]
+}