Skip to content
Permalink
Browse files

First draft of example SCPs

  • Loading branch information...
phc107 committed Aug 1, 2019
0 parents commit 6e6b7daed648186b360a8bfd0b5ddc3305e5920d
@@ -0,0 +1,22 @@
# AWS Organizations Service Control Policies
---

## Description

A repository of community generated Service control policies (SCPs) and reference links to ensure proper governance and access control guidelines across your entire organization. Please feel free to contribute or submit a pull request if you would like to improve an existing SCP or share additional ones.

## Example Policies

- [us-regions-only](us-regions-only.policy) - Deny actions unless performed in one of the US related regions

- [prevent-resourcesharing](prevent-resourcesharing.policy) - Prevent account from creating or deleting resource shares within the organization

- [prevent-disabling-cloudtrail](prevent-disabling-cloudtrail.policy) - Account cannot disable CloudTrail service

- [prevent-deletion-of-service-resources](prevent-deletion-of-service-resources.policy) - Protect various organizational roles and resources curated for service and governance related purposes.

## Reference Links

- [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html) - AWS Organizations - Service Control Policies Documentation

- [Example Control Policies](https://github.com/awsdocs/aws-organizations-docs/blob/master/doc_source/orgs_manage_policies_example-scps.md)
@@ -0,0 +1,35 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessToRole",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/role-to-protect"
]
},
{
"Sid": "DenyAccessToShibbolethIDP",
"Effect": "Deny",
"Action": [
"iam:DeleteSAMLProvider",
"iam:UpdateSAMLProvider"
],
"Resource": [
"arn:aws:iam::*:saml-provider/idp-to-protect"
]
}
]
}
@@ -0,0 +1,15 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventDisablingOfCloudTrails",
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging"
],
"Resource": [
"*"
]
}
]
}
@@ -0,0 +1,18 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventResourceSharing",
"Effect": "Deny",
"Action": [
"ram:AssociateResourceShare",
"ram:CreateResourceShare",
"ram:DeleteResourceShare",
"ram:EnableSharingWithAwsOrganization"
],
"Resource": [
"*"
]
}
]
}
@@ -0,0 +1,32 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideUS",
"Effect": "Deny",
"NotAction": [
"iam:*",
"organizations:*",
"route53:*",
"budgets:*",
"waf:*",
"cloudfront:*",
"globalaccelerator:*",
"importexport:*",
"support:*",
"sts:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
]
}
}
}
]
}

0 comments on commit 6e6b7da

Please sign in to comment.
You can’t perform that action at this time.