diff --git a/README.md b/README.md index cc19de7..85310db 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ A repository of community generated Service control policies (SCPs) and referenc - [prevent-deletion-of-service-resources](prevent-deletion-of-service-resources.policy) - Protect various organizational roles and resources curated for service and governance related purposes. - [ec2-encrypt-ebs](ec2-encrypt-ebs.policy) - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default Not setting up a default encryption will generate a difficult to understand error. +- [us-regions-only-group-exception](us-regions-only-group-exception.policy) - Sets limit to only be able to configure AWS resources in US regions for most users. It includes an example role that is allowed to opperate in any region. ## Reference Links diff --git a/us-regions-only-group-exception.policy b/us-regions-only-group-exception.policy new file mode 100644 index 0000000..b67262d --- /dev/null +++ b/us-regions-only-group-exception.policy @@ -0,0 +1,37 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllOutsideUS", + "Effect": "Deny", + "NotAction": [ + "iam:*", + "organizations:*", + "route53:*", + "budgets:*", + "waf:*", + "cloudfront:*", + "globalaccelerator:*", + "importexport:*", + "support:*", + "sts:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:RequestedRegion": [ + "us-east-1", + "us-east-2", + "us-west-1", + "us-west-2" + ] + }, + "StringNotLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::*:role/NetIDSuperAdmistratorAccess", + "arn:aws:iam::*:role/NetIDCloudTeamAccess"] + } + } + } + ] +}