Skip to content

Commit

Permalink
adding categories to SCP files
Browse files Browse the repository at this point in the history
  • Loading branch information
@huangjac
huangjac committed Mar 19, 2021
1 parent e41b7da commit 04ec6b6
Show file tree
Hide file tree
Showing 27 changed files with 58 additions and 33 deletions.
3 changes: 2 additions & 1 deletion guardrails/account/SCP-ACCOUNT-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,6 @@
"aws:PrincipalARN": [ "arn:aws:iam::*:role/[INFRASTRUCTURE_AUTOMATION_ROLE]" ]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/billing/SCP-BILLING-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,6 @@
"aws:PrincipalARN": [ "arn:aws:iam::*:role/[INFRASTRUCTURE_AUTOMATION_ROLE]" ]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/cloudformation/SCP-CLOUDFORMATION-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,5 +51,6 @@
"aws:PrincipalARN": [ "arn:aws:iam::*:role/[INFRASTRUCTURE_AUTOMATION_ROLE]" ]
}
}
]
],
"Category": "Strongly recommended"
}
3 changes: 2 additions & 1 deletion guardrails/cloudtrail/SCP-CLOUDTRAIL-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,6 @@
"aws:PrincipalARN": [ "arn:aws:iam::*:role/[INFRASTRUCTURE_AUTOMATION_ROLE]" ]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/cloudwatch/SCP-CLOUDWATCH-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,6 @@
]
}
}
]
],
"Category": "Strongly recommended"
}
3 changes: 2 additions & 1 deletion guardrails/config/SCP-CONFIG-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,5 +38,6 @@
"aws:PrincipalARN": [ "arn:aws:iam::*:role/[INFRASTRUCTURE_AUTOMATION_ROLE]" ]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/config/SCP-CONFIG-2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,5 +38,6 @@
"aws:ResourceTag/system": "[SYSTEM_NAME]"
}
}
]
],
"Category": "Strongly recommended"
}
3 changes: 2 additions & 1 deletion guardrails/ec2/SCP-EC2-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,6 @@
]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/ec2/SCP-EC2-2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,6 @@
"ec2:CreateDefaultSubnet",
"ec2:CreateDefaultVpc"
],
"Resource": ["*"]
"Resource": ["*"],
"Category": "Strongly recommended"
}
3 changes: 2 additions & 1 deletion guardrails/glacier/SCP-GLACIER-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,6 @@
"glacier:DeleteArchive",
"glacier:DeleteVault"
],
"Resource": ["arn:aws:glacier:*:*:vaults/*"]
"Resource": ["arn:aws:glacier:*:*:vaults/*"],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/guardduty/SCP-GUARDDUTY-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,5 +38,6 @@
"aws:PrincipalARN": [ "arn:aws:iam::*:role/[INFRASTRUCTURE_AUTOMATION_ROLE]" ]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/iam/SCP-IAM-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
]
],
"Category": "Mandatory"
}

9 changes: 5 additions & 4 deletions guardrails/iam/SCP-IAM-2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,11 @@
"Expected Result": "Access Denied"
}
],
"References": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"],
"Policy-Type": "SCP",
"References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"Policy": "SCP",
"SCP-Type": "Prevent-For-Resource",
"IAM Actions": ["iam:CreateAccessKey"],
"Resource": ["arn:aws:iam::*:root"]
"Resource": ["arn:aws:iam::*:root"],
"Category": "Mandatory"
}


7 changes: 4 additions & 3 deletions guardrails/iam/SCP-IAM-3.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
"References": [
"https://aws.amazon.com/controltower/", "https://aws.amazon.com/solutions/aws-landing-zone/"
],
"Policy-Type": "SCP",
"Policy": "SCP",
"SCP-Type": "Prevent-For-Resource-Except",
"IAM Actions": [
"iam:AttachRolePolicy",
Expand All @@ -43,6 +43,7 @@
"aws:PrincipalARN": "arn:aws:iam::*:role/[INFRASTRUCTURE_AUTOMATION_ROLE]"
}
}
]
],
"Category": "Elective"
}


3 changes: 2 additions & 1 deletion guardrails/iam/SCP-IAM-4.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,6 @@
"aws:PrincipalARN": "arn:aws:iam::*:role/[ALLOWED_LAMBDA_ROLE_NAME]"
}
}
]
],
"Category": "Strongly recommended"
}
3 changes: 2 additions & 1 deletion guardrails/iam/SCP-IAM-5.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,6 @@
"aws:PrincipalARN": [ "arn:aws:iam::*:role/[ALLOWED_ROLE_NAME]" ]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/kms/SCP-KMS-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,6 @@
]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/lambda/SCP-LAMBDA-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,6 @@
]
}
}
]
],
"Category": "Elective"
}
3 changes: 2 additions & 1 deletion guardrails/organizations/SCP-ORGANIZATIONS-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,6 @@
"aws:PrincipalARN": [ "arn:aws:iam::*:role/[INFRASTRUCTURE_AUTOMATION_ROLE]" ]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/ram/SCP-RAM-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,6 @@
"ram:AllowsExternalPrincipals": "true"
}
}
]
],
"Category": "Mandatory"
}
3 changes: 1 addition & 2 deletions guardrails/requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
pandas==1.2.2
pandas==1.0.3
tabulate==0.8.7
jinja2==2.11.3
3 changes: 2 additions & 1 deletion guardrails/s3/SCP-S3-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,6 @@
]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/s3/SCP-S3-2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,6 @@
]
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/s3/SCP-S3-3.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,6 @@
"s3:x-amz-acl": "private"
}
}
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/s3/SCP-S3-4.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,6 @@
"Resource": [
"arn:aws:s3:::[BUCKET_TO_PROTECT]",
"arn:aws:s3:::[BUCKET_TO_PROTECT]/*"
]
],
"Category": "Mandatory"
}
3 changes: 2 additions & 1 deletion guardrails/s3/SCP-S3-5.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,5 +66,6 @@
]
}
}
]
],
"Category": "Elective"
}
3 changes: 2 additions & 1 deletion guardrails/sns/SCP-SNS-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,5 +37,6 @@
]
}
}
]
],
"Category": "Elective"
}

0 comments on commit 04ec6b6

Please sign in to comment.