diff --git a/README.md b/README.md new file mode 100644 index 0000000..4a00cc3 --- /dev/null +++ b/README.md @@ -0,0 +1,22 @@ +# AWS Organizations Service Control Policies +--- + +## Description + +A repository of community generated Service control policies (SCPs) and reference links to ensure proper governance and access control guidelines across your entire organization. Please feel free to contribute or submit a pull request if you would like to improve an existing SCP or share additional ones. + +## Example Policies + +- [us-regions-only](us-regions-only.policy) - Deny actions unless performed in one of the US related regions + +- [prevent-resourcesharing](prevent-resourcesharing.policy) - Prevent account from creating or deleting resource shares within the organization + +- [prevent-disabling-cloudtrail](prevent-disabling-cloudtrail.policy) - Account cannot disable CloudTrail service + +- [prevent-deletion-of-service-resources](prevent-deletion-of-service-resources.policy) - Protect various organizational roles and resources curated for service and governance related purposes. + +## Reference Links + +- [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html) - AWS Organizations - Service Control Policies Documentation + +- [Example Control Policies](https://github.com/awsdocs/aws-organizations-docs/blob/master/doc_source/orgs_manage_policies_example-scps.md) \ No newline at end of file diff --git a/prevent-deletion-of-service-resources.policy b/prevent-deletion-of-service-resources.policy new file mode 100644 index 0000000..092dd49 --- /dev/null +++ b/prevent-deletion-of-service-resources.policy @@ -0,0 +1,35 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAccessToRole", + "Effect": "Deny", + "Action": [ + "iam:AttachRolePolicy", + "iam:DeleteRole", + "iam:DeleteRolePermissionsBoundary", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:PutRolePermissionsBoundary", + "iam:PutRolePolicy", + "iam:UpdateAssumeRolePolicy", + "iam:UpdateRole", + "iam:UpdateRoleDescription" + ], + "Resource": [ + "arn:aws:iam::*:role/role-to-protect" + ] + }, + { + "Sid": "DenyAccessToShibbolethIDP", + "Effect": "Deny", + "Action": [ + "iam:DeleteSAMLProvider", + "iam:UpdateSAMLProvider" + ], + "Resource": [ + "arn:aws:iam::*:saml-provider/idp-to-protect" + ] + } + ] +} diff --git a/prevent-disabling-cloudtrail.policy b/prevent-disabling-cloudtrail.policy new file mode 100644 index 0000000..80ee5ae --- /dev/null +++ b/prevent-disabling-cloudtrail.policy @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "PreventDisablingOfCloudTrails", + "Effect": "Deny", + "Action": [ + "cloudtrail:StopLogging" + ], + "Resource": [ + "*" + ] + } + ] +} diff --git a/prevent-resourcesharing.policy b/prevent-resourcesharing.policy new file mode 100644 index 0000000..420bd20 --- /dev/null +++ b/prevent-resourcesharing.policy @@ -0,0 +1,18 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "PreventResourceSharing", + "Effect": "Deny", + "Action": [ + "ram:AssociateResourceShare", + "ram:CreateResourceShare", + "ram:DeleteResourceShare", + "ram:EnableSharingWithAwsOrganization" + ], + "Resource": [ + "*" + ] + } + ] +} diff --git a/us-regions-only.policy b/us-regions-only.policy new file mode 100644 index 0000000..51756c5 --- /dev/null +++ b/us-regions-only.policy @@ -0,0 +1,32 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllOutsideUS", + "Effect": "Deny", + "NotAction": [ + "iam:*", + "organizations:*", + "route53:*", + "budgets:*", + "waf:*", + "cloudfront:*", + "globalaccelerator:*", + "importexport:*", + "support:*", + "sts:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:RequestedRegion": [ + "us-east-1", + "us-east-2", + "us-west-1", + "us-west-2" + ] + } + } + } + ] +}