From a54f07909c960459132d838c72b2465e2cb76471 Mon Sep 17 00:00:00 2001
From: eric straavaldsen <eric.straavaldsen@wisc.edu>
Date: Mon, 28 Oct 2019 12:28:58 -0500
Subject: [PATCH 1/3] fixed scp for region limit

---
 docker-container-scan.sh               |  2 ++
 us-regions-only-group-exception.policy | 37 ++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 docker-container-scan.sh
 create mode 100644 us-regions-only-group-exception.policy

diff --git a/docker-container-scan.sh b/docker-container-scan.sh
new file mode 100644
index 0000000..4d8ccf7
--- /dev/null
+++ b/docker-container-scan.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+docker ps -ef 
diff --git a/us-regions-only-group-exception.policy b/us-regions-only-group-exception.policy
new file mode 100644
index 0000000..b67262d
--- /dev/null
+++ b/us-regions-only-group-exception.policy
@@ -0,0 +1,37 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DenyAllOutsideUS",
+            "Effect": "Deny",
+            "NotAction": [
+                "iam:*",
+                "organizations:*",
+                "route53:*",
+                "budgets:*",
+                "waf:*",
+                "cloudfront:*",
+                "globalaccelerator:*",
+                "importexport:*",
+                "support:*",
+                "sts:*"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringNotEquals": {
+                    "aws:RequestedRegion": [
+                        "us-east-1",
+                        "us-east-2",
+                        "us-west-1",
+                        "us-west-2"
+                    ]
+                },
+                "StringNotLike": {
+                    "aws:PrincipalArn": [
+                    "arn:aws:iam::*:role/NetIDSuperAdmistratorAccess",
+                    "arn:aws:iam::*:role/NetIDCloudTeamAccess"]
+                }
+            }
+        }
+    ]
+}

From 53766a92d0d9ec780b91f11a4eb9375b85ac588e Mon Sep 17 00:00:00 2001
From: eric straavaldsen <eric.straavaldsen@wisc.edu>
Date: Mon, 28 Oct 2019 12:31:00 -0500
Subject: [PATCH 2/3] removed file fo docker container scan

---
 docker-container-scan.sh | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 docker-container-scan.sh

diff --git a/docker-container-scan.sh b/docker-container-scan.sh
deleted file mode 100644
index 4d8ccf7..0000000
--- a/docker-container-scan.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-docker ps -ef 

From da9441fae04961bc73e3f49b1ed9d6a1ebd4bbce Mon Sep 17 00:00:00 2001
From: eric straavaldsen <eric.straavaldsen@wisc.edu>
Date: Mon, 28 Oct 2019 12:34:16 -0500
Subject: [PATCH 3/3] updated readme

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index cc19de7..85310db 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ A repository of community generated Service control policies (SCPs) and referenc
 - [prevent-deletion-of-service-resources](prevent-deletion-of-service-resources.policy) - Protect various organizational roles and resources curated for service and governance related purposes. 
 
 - [ec2-encrypt-ebs](ec2-encrypt-ebs.policy) - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default    Not setting up a default encryption will generate a difficult to understand error.
+- [us-regions-only-group-exception](us-regions-only-group-exception.policy) - Sets limit to only be able to configure AWS resources in US regions for most users.  It includes an example role that is allowed to opperate in any region.
 
 ## Reference Links