From dd22edefb19559801c5656af0b84e0fbd89848a0 Mon Sep 17 00:00:00 2001 From: eric straavaldsen Date: Wed, 28 Aug 2019 10:25:42 -0500 Subject: [PATCH] ebs encryption SCP with basic doc added --- README.md | 4 +++- ec2-encreypt-ebs.policy | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 ec2-encreypt-ebs.policy diff --git a/README.md b/README.md index 4a00cc3..0b4b0ac 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,10 @@ A repository of community generated Service control policies (SCPs) and referenc - [prevent-deletion-of-service-resources](prevent-deletion-of-service-resources.policy) - Protect various organizational roles and resources curated for service and governance related purposes. +- [ec2-encrypt-ebs] (ec2-encrypt-ebs.policy) - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command (aws ec2 enable-ebs-encryption-by-default) Not setting up a default encryption will generate a difficult to understand error. + ## Reference Links - [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html) - AWS Organizations - Service Control Policies Documentation -- [Example Control Policies](https://github.com/awsdocs/aws-organizations-docs/blob/master/doc_source/orgs_manage_policies_example-scps.md) \ No newline at end of file +- [Example Control Policies](https://github.com/awsdocs/aws-organizations-docs/blob/master/doc_source/orgs_manage_policies_example-scps.md) diff --git a/ec2-encreypt-ebs.policy b/ec2-encreypt-ebs.policy new file mode 100644 index 0000000..b2b45ea --- /dev/null +++ b/ec2-encreypt-ebs.policy @@ -0,0 +1,20 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Require EC2 Encryption", + "Effect": "Deny", + "Action": [ + "ec2:RunInstances" + ], + "Condition": { + "Bool": { + "ec2:Encrypted": "false" + } + }, + "Resource": [ + "*" + ] + } + ] +}