Skip to content
Jump to bottom

US Region limit with a role that can operate outside the region limit. #3

Merged
merged 3 commits into from
Oct 28, 2019
+38 −0
Merged

US Region limit with a role that can operate outside the region limit. #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a54f079
fixed scp for region limit
ericstraavaldsen Oct 28, 2019
53766a9
removed file fo docker container scan
ericstraavaldsen Oct 28, 2019
da9441f
updated readme
ericstraavaldsen Oct 28, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ A repository of community generated Service control policies (SCPs) and referenc
- [prevent-deletion-of-service-resources](prevent-deletion-of-service-resources.policy) - Protect various organizational roles and resources curated for service and governance related purposes.

- [ec2-encrypt-ebs](ec2-encrypt-ebs.policy) - Set enforces setting where ebs volumes are encrypted by default - to set default for account use cli command: aws ec2 enable-ebs-encryption-by-default Not setting up a default encryption will generate a difficult to understand error.
- [us-regions-only-group-exception](us-regions-only-group-exception.policy) - Sets limit to only be able to configure AWS resources in US regions for most users. It includes an example role that is allowed to opperate in any region.

## Reference Links

Expand Down
37 changes: 37 additions & 0 deletions us-regions-only-group-exception.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideUS",
"Effect": "Deny",
"NotAction": [
"iam:*",
"organizations:*",
"route53:*",
"budgets:*",
"waf:*",
"cloudfront:*",
"globalaccelerator:*",
"importexport:*",
"support:*",
"sts:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
]
},
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/NetIDSuperAdmistratorAccess",
"arn:aws:iam::*:role/NetIDCloudTeamAccess"]
}
}
}
]
}