It is generally a best practice not to use the root user to do your tasks in your AWS account. Instead, you should create an IAM admin user and use that to do administrative tasks.
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
},
"Action": "*",
"Resource": "*",
"Effect": "Deny",
"Sid": "DenyRootUser"
}
]
}
Deny the s3:CreateBucket permission for IAM users or roles unless you set the bucket owner enforced setting for Object Ownership and disable ACLs.
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringNotEquals": {
"s3:x-amz-object-ownership": "BucketOwnerEnforced"
}
},
"Action": "s3:PutBucketOwnershipControls",
"Resource": "*",
"Effect": "Deny",
"Sid": "RequireBucketOwnerFullControl"
},
{
"Effect": "Deny",
"Resource": "*",
"Action": "s3:CreateBucket",
"Condition": {
"Null": {
"s3:x-amz-object-ownership": true
}
}
},
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock"
]
}
]
}
Restrict the EC2 instance type used
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t3a.micro",
"t3a.medium",
"m5.large"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"eu-central-1"
]
}
},
"Resource": "*",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
],
"Sid": "DenyUnsupportedRegions"
}
]
}