Adding policies

README.md

@@ -247,6 +247,7 @@ For additional context, refer to some of these links.
 - [Terraform Module Requirements](https://www.terraform.io/docs/registry/modules/publish.html#requirements) - HashiCorp's guidance on all the requirements for publishing a module. Meeting the requirements for publishing a module is extremely easy.
 - [Terraform `random_integer` Resource](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) - The resource random_integer generates random values from a given range, described by the min and max attributes of a given resource.
 - [Terraform Version Pinning](https://www.terraform.io/docs/configuration/terraform.html#specifying-a-required-terraform-version) - The required_version setting can be used to constrain which versions of the Terraform CLI can be used with your configuration
+- [SCPs size limits](https://github.com/hashicorp/terraform-provider-aws/issues/12597) - The SCP have a size limit and creating many policies at once can result in a POLICY_CONTENT_LIMIT_EXCEEDED error
 
 
 ## Help
@@ -381,14 +382,16 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
 ### Contributors
 
 <!-- markdownlint-disable -->
-| [![Erik Osterman][osterman_avatar]][osterman_homepage]<br/>[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]<br/>[Andriy Knysh][aknysh_homepage] |
-|---|---|
+| [![Erik Osterman][osterman_avatar]][osterman_homepage]<br/>[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]<br/>[Andriy Knysh][aknysh_homepage] | [![PePe Amengual][jamengual_avatar]][jamengual_homepage]<br/>[PePe Amengual][jamengual_homepage] |
+|---|---|---|
 <!-- markdownlint-restore -->
 
  [osterman_homepage]: https://github.com/osterman
  [osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png
  [aknysh_homepage]: https://github.com/aknysh
  [aknysh_avatar]: https://img.cloudposse.com/150x150/https://github.com/aknysh.png
+ [jamengual_homepage]: https://github.com/jamengual
+ [jamengual_avatar]: https://img.cloudposse.com/150x150/https://github.com/jamengual.png
 
 [![README Footer][readme_footer_img]][readme_footer_link]
 [![Beacon][beacon]][website]

README.yaml

@@ -83,7 +83,9 @@ references:
  - name: "Terraform Version Pinning"
  description: "The required_version setting can be used to constrain which versions of the Terraform CLI can be used with your configuration"
  url: "https://www.terraform.io/docs/configuration/terraform.html#specifying-a-required-terraform-version"
-
+ - name: "SCPs size limits"
+ description: "The SCP have a size limit and creating many policies at once can result in a POLICY_CONTENT_LIMIT_EXCEEDED error"
+ url: "https://github.com/hashicorp/terraform-provider-aws/issues/12597"
 # Short description of this project
 description: |-
  Terraform module to provision Service Control Policies (SCP) for AWS Organizations, Organizational Units, and AWS accounts.
@@ -148,3 +150,5 @@ contributors:
  github: "osterman"
  - name: "Andriy Knysh"
  github: "aknysh"
+ - name: "PePe Amengual"
+ github: "jamengual"

catalog/account-policies.yaml

@@ -0,0 +1,7 @@
+- sid: "DenyAccountRegionDisableEnable"
+ effect: "Deny"
+ actions:
+ - "account:EnableRegion"
+ - "account:DisableRegion"
+ resources:
+ - "*"

catalog/cloudtrail-policies.yaml

@@ -0,0 +1,9 @@
+- sid: "DenyCloudTrailActions"
+ effect: "Deny"
+ actions:
+ - "cloudtrail:DeleteTrail"
+ - "cloudtrail:PutEventSelectors"
+ - "cloudtrail:StopLogging"
+ - "cloudtrail:UpdateTrail"
+ resources:
+ - "*"

catalog/cloudwatch-logs-policies.yaml

@@ -1,8 +1,20 @@
-- sid: "DenyDeletingCloudWatchLogs"
+- sid: "DenyCloudWatchDeletingLogs"
  effect: "Deny"
  actions:
  - "ec2:DeleteFlowLogs"
  - "logs:DeleteLogGroup"
  - "logs:DeleteLogStream"
  resources:
  - "*"
+
+- sid: "DenyDisablingCloudWatch"
+ effect: "Deny"
+ actions:
+ - "cloudwatch:DeleteAlarms"
+ - "cloudwatch:DeleteDashboards"
+ - "cloudwatch:DisableAlarmActions"
+ - "cloudwatch:PutDashboard"
+ - "cloudwatch:PutMetricAlarm"
+ - "cloudwatch:SetAlarmState"
+ resources:
+ - "*"

catalog/config-policies.yaml

@@ -0,0 +1,12 @@
+- sid: "DenyConfigRulesDelete"
+ effect: "Deny"
+ actions:
+ - "config:DeleteConfigRule"
+ - "config:DeleteConfigurationRecorder"
+ - "config:DeleteDeliveryChannel"
+ - "config:StopConfigurationRecorder"
+ - "config:DeleteRetentionConfiguration"
+ - "config:DeleteEvaluationResults"
+ - "config:DeleteConfigurationAggregator"
+ resources:
+ - "*"

catalog/ec2-policies.yaml

@@ -2,7 +2,7 @@
 # This policy denies instance types that aren't based on the Nitro system as documented in the following document:
 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances
 #
-- sid: "DenyNonNitroInstances"
+- sid: "DenyEC2NonNitroInstances"
  effect: "Deny"
  actions:
  - "ec2:RunInstances"
@@ -83,7 +83,7 @@
 # This policy denies instance types that aren't based on the Nitro system and don't support Encryption-in-Transit as
 # described in the following document:
 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit
-- sid: "DenyInstancesWithoutEncryptionInTransit"
+- sid: "DenyEC2InstancesWithoutEncryptionInTransit"
  effect: "Deny"
  actions:
  - "ec2:RunInstances"
@@ -109,3 +109,77 @@
  - r5n
  resources:
  - "arn:aws:ec2:*:*:instance/*"
+
+- sid: "DenyEC2PublicAMI"
+ effect: "Deny"
+ actions:
+ - "ec2:RunInstances"
+ condition:
+ - test: "Bool"
+ variable: "ec2:Public"
+ values:
+ - true
+ resources:
+ - "arn:aws:ec2:*::image/*"
+
+- sid: "DenyEC2AssociatePublicIp"
+ effect: "Deny"
+ actions:
+ - "ec2:RunInstances"
+ condition:
+ - test: "Bool"
+ variable: "ec2:AssociatePublicIpAddress"
+ values:
+ - true
+ resources:
+ - "arn:aws:ec2:*:*:network-interface/*"
+
+- sid: "DenyEC2AMIWithNoResourceTag"
+ effect: "Deny"
+ actions:
+ - "ec2:RunInstances"
+ condition:
+ - test: "StringNotEqualsIgnoreCase"
+ variable: "ec2:ResourceTag/${ami_tag_key}"
+ values:
+ - "${ami_tag_value}"
+ resources:
+ - "arn:aws:ec2:*::image/ami-*"
+
+- sid: "DenyEC2WithNoIMDSv2"
+ effect: "Deny"
+ actions:
+ - "ec2:RunInstances"
+ condition:
+ - test: "StringNotEquals"
+ variable: "ec2:MetadataHttpTokens"
+ values:
+ - "required"
+ resources:
+ - "arn:aws:ec2:*:*:instance/*"
+
+- sid: "DenyEC2ApiWithNoMFA"
+ effect: "Deny"
+ actions:
+ - "ec2:StopInstances"
+ - "ec2:TerminateInstances"
+ - "ec2:SendDiagnosticInterrupt"
+ condition:
+ - test: "BoolIfExists"
+ variable: "aws:MultiFactorAuthPresent"
+ values:
+ - false
+ resources:
+ - "*"
+
+- sid: "DenyEC2AMINotCreatedBy"
+ effect: "Deny"
+ actions:
+ - "ec2:RunInstances"
+ condition:
+ - test: "StringNotEquals"
+ variable: "ec2:Owner"
+ values:
+ - "${ami_creator_account}"
+ resources:
+ - "arn:aws:ec2:*::image/ami-*"

catalog/guardduty-policies.yaml

@@ -0,0 +1,43 @@
+- sid: "DenyGuardDutyDisassociation"
+ effect: "Deny"
+ actions:
+ - "guardduty:DisassociateFromMasterAccount"
+ resources:
+ - "*"
+
+- sid: "DenyDisablingGuardDuty"
+ effect: "Deny"
+ actions:
+ - "guardduty:AcceptInvitation"
+ - "guardduty:ArchiveFindings"
+ - "guardduty:CreateDetector"
+ - "guardduty:CreateFilter"
+ - "guardduty:CreateIPSet"
+ - "guardduty:CreateMembers"
+ - "guardduty:CreatePublishingDestination"
+ - "guardduty:CreateSampleFindings"
+ - "guardduty:CreateThreatIntelSet"
+ - "guardduty:DeclineInvitations"
+ - "guardduty:DeleteDetector"
+ - "guardduty:DeleteFilter"
+ - "guardduty:DeleteInvitations"
+ - "guardduty:DeleteIPSet"
+ - "guardduty:DeleteMembers"
+ - "guardduty:DeletePublishingDestination"
+ - "guardduty:DeleteThreatIntelSet"
+ - "guardduty:DisassociateFromMasterAccount"
+ - "guardduty:DisassociateMembers"
+ - "guardduty:InviteMembers"
+ - "guardduty:StartMonitoringMembers"
+ - "guardduty:StopMonitoringMembers"
+ - "guardduty:TagResource"
+ - "guardduty:UnarchiveFindings"
+ - "guardduty:UntagResource"
+ - "guardduty:UpdateDetector"
+ - "guardduty:UpdateFilter"
+ - "guardduty:UpdateFindingsFeedback"
+ - "guardduty:UpdateIPSet"
+ - "guardduty:UpdatePublishingDestination"
+ - "guardduty:UpdateThreatIntelSet"
+ resources:
+ - "*"

catalog/iam-policies.yaml

@@ -1,13 +1,12 @@
-- sid: "DenyCreatingIAMUsers"
+- sid: "DenyIAMCreatingUsers"
  effect: "Deny"
  actions:
  - "iam:CreateUser"
  - "iam:CreateAccessKey"
  resources:
  - "*"
 
-
-- sid: "ProtectIAMRoles"
+- sid: "DenyIAMRolesChanges"
  effect: "Deny"
  actions:
  - "iam:AttachRolePolicy"
@@ -22,3 +21,33 @@
  - "iam:UpdateRoleDescription"
  resources:
  - "*"
+
+- sid: "DenyIAMNoMFA"
+ effect: "Deny"
+ not_actions:
+ - "iam:CreateVirtualMFADevice"
+ - "iam:EnableMFADevice"
+ - "iam:GetUser"
+ - "iam:ListMFADevices"
+ - "iam:ListVirtualMFADevices"
+ - "iam:ResyncMFADevice"
+ - "sts:GetSessionToken"
+ condition:
+ - test: "BoolIfExists"
+ variable: "aws:MultiFactorAuthPresent"
+ values:
+ - false
+ resources:
+ - "*"
+
+- sid: "DenyIAMRootAccount"
+ effect: "Deny"
+ actions:
+ - "*"
+ condition:
+ - test: "StringLike"
+ variable: "aws:PrincipalArn"
+ values:
+ - "arn:aws:iam::*:root"
+ resources:
+ - "*"

catalog/lambda-policies.yaml

@@ -0,0 +1,12 @@
+- sid: "DenyLambdaWithoutVpc"
+ effect: "Deny"
+ actions:
+ - "lambda:CreateFunction"
+ - "lambda:UpdateFunctionConfiguration"
+ condition:
+ - test: "Null"
+ variable: "lambda:VpcIds"
+ values:
+ - true
+ resources:
+ - "*"

catalog/organization-policies.yaml

@@ -5,15 +5,14 @@
  resources:
  - "*"
 
-
 - sid: "DenyRootAccountAccess"
  effect: "Deny"
  actions:
  - "*"
- resources:
- - "*"
  condition:
  - test: "StringLike"
  variable: "aws:PrincipalArn"
  values:
  - "arn:aws:iam::*:root"
+ resources:
+ - "*"

catalog/rds-policies.yaml

@@ -0,0 +1,16 @@
+- sid: "DenyRDSUnencrypted"
+ effect: "Deny"
+ actions:
+ - "rds:CreateDBCluster"
+ - "rds:CreateDBInstance"
+ - "rds:RestoreDBClusterFromS3"
+ - "rds:RestoreDBInstanceFromS3"
+ - "rds:RestoreDBClusterFromDBSnapshot"
+ - "rds:RestoreDBClusterToPointInTime"
+ condition:
+ - test: "Bool"
+ variable: "rds:StorageEncrypted"
+ values:
+ - false
+ resources:
+ - "*"

catalog/region-specific-policies.yaml

@@ -0,0 +1,23 @@
+- sid: "DenyRegionUsage"
+ effect: "Deny"
+ not_actions:
+ - "cloudfront:*"
+ - "iam:*"
+ - "route53:*"
+ - "support:*"
+ - "organizations:*"
+ - "waf:*"
+ - "budgets:*"
+ - "globalaccelerator:*"
+ - "cur:*"
+ - "ce:*"
+ - "directconnect:*"
+ condition:
+ - test: "StringNotEqualsIgnoreCase"
+ variable: "aws:RequestedRegion"
+ values:
+ # The regions that can't be used for deploying infrastructure
+ - "${region1_lockdown}"
+ - "${region2_lockdown}"
+ resources:
+ - "*"

catalog/route53-policies.yaml

@@ -1,4 +1,4 @@
-- sid: "DenyDeletingRoute53Zones"
+- sid: "DenyRoute53DeletingZones"
  effect: "Deny"
  actions:
  - "route53:DeleteHostedZone"