Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
what
Minor fixes to several SCPs
DenyLambdaWithoutVpc
was previously invalid. It is now valid, but has not been thoroughly tested to ensure it does what it promises.DenyRDSUnencrypted
was fixed to denyrds:RestoreDBClusterFromSnapshot
when not encrypted. Previously this action was not denied, and instead the nonexistentRestoreDBClusterFromDBSnapshot
was deniedDenyS3BucketsPublicAccess
policy was cleaned up by eliminating the nonexistents3:DeletePublicAccessBlock
action. Note that it still is probably not something you want to use, because it denies enabling a public access block as well as removing one. We hope to have a better policy in the future.DenyRegions
andRestrictToSpecifiedRegions
were updated to exclude theaccount
,artifact
, andsupportplans
services from region restrictions, since they are global services. The obsoleteawsbillingconsole
service was removed.DenyS3InNonSelectedRegion
was fixed to allow users to allow S3 bucket creation inus-east-1
. Previouslyus-east-1
was always prohibited even when expressly allowed, due to quirks in S3.why
references