Skip to content

Instantly share code, notes, and snippets.

@oieduardorabelo

oieduardorabelo/aws-scps.md

Created November 17, 2022 20:59
Show Gist options
  • Save oieduardorabelo/2fdad8bacdd47cc7637fc0406386f15d to your computer and use it in GitHub Desktop.
Save oieduardorabelo/2fdad8bacdd47cc7637fc0406386f15d to your computer and use it in GitHub Desktop.
Download ZIP
AWS SCPs
Raw
aws-scps.md

DenyRootUserActions

It is generally a best practice not to use the root user to do your tasks in your AWS account. Instead, you should create an IAM admin user and use that to do administrative tasks.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      },
      "Action": "*",
      "Resource": "*",
      "Effect": "Deny",
      "Sid": "DenyRootUser"
    }
  ]
}

EnforceS3BucketOwner

Deny the s3:CreateBucket permission for IAM users or roles unless you set the bucket owner enforced setting for Object Ownership and disable ACLs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-object-ownership": "BucketOwnerEnforced"
                }
            },
            "Action": "s3:PutBucketOwnershipControls",
            "Resource": "*",
            "Effect": "Deny",
            "Sid": "RequireBucketOwnerFullControl"
        },
        {
            "Effect": "Deny",
            "Resource": "*",
            "Action": "s3:CreateBucket",
            "Condition": {
                "Null": {
                    "s3:x-amz-object-ownership": true
                }
            }
        },
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "s3:CreateBucket",
                "s3:PutBucketOwnershipControls",
                "s3:PutBucketPublicAccessBlock"
            ]
        }
    ]
}

RequireInstanceType

Restrict the EC2 instance type used

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t3a.micro",
            "t3a.medium",
            "m5.large"
          ]
        }
      }
    }
  ]
}

RestrictRegionAccess

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "eu-central-1"
          ]
        }
      },
      "Resource": "*",
      "Effect": "Deny",
      "NotAction": [
        "a4b:*",
        "acm:*",
        "aws-marketplace-management:*",
        "aws-marketplace:*",
        "aws-portal:*",
        "budgets:*",
        "ce:*",
        "chime:*",
        "cloudfront:*",
        "config:*",
        "cur:*",
        "directconnect:*",
        "ec2:DescribeRegions",
        "ec2:DescribeTransitGateways",
        "ec2:DescribeVpnGateways",
        "fms:*",
        "globalaccelerator:*",
        "health:*",
        "iam:*",
        "importexport:*",
        "kms:*",
        "mobileanalytics:*",
        "networkmanager:*",
        "organizations:*",
        "pricing:*",
        "route53:*",
        "route53domains:*",
        "s3:GetAccountPublic*",
        "s3:ListAllMyBuckets",
        "s3:PutAccountPublic*",
        "shield:*",
        "sts:*",
        "support:*",
        "trustedadvisor:*",
        "waf-regional:*",
        "waf:*",
        "wafv2:*",
        "wellarchitected:*"
      ],
      "Sid": "DenyUnsupportedRegions"
    }
  ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment