Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@s-tajima

s-tajima/DenyDisableAudit.json

Created November 20, 2019 15:01
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save s-tajima/c1e2d8e0b2a10bcdca76a13a02a47a2a to your computer and use it in GitHub Desktop.
Save s-tajima/c1e2d8e0b2a10bcdca76a13a02a47a2a to your computer and use it in GitHub Desktop.
Download ZIP
AWS SCPs Policies
Raw
DenyDisableAudit.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization",
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:StopConfigurationRecorder",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:PutRetentionConfiguration",
"cloudtrail:StopLogging",
"cloudtrail:PutEventSelectors",
"cloudtrail:UpdateTrail",
"cloudtrail:DeleteTrail",
"guardduty:DeclineInvitations",
"guardduty:DeleteDetector",
"guardduty:DeleteFilter",
"guardduty:DeleteInvitations",
"guardduty:UpdateDetector",
"guardduty:DisassociateFromMasterAccount",
"guardduty:DisassociateMembers",
"securityhub:DeclineInvitations",
"securityhub:DeleteActionTarget",
"securityhub:DeleteInvitations",
"securityhub:DeleteMembers",
"securityhub:DisassociateFromMasterAccount",
"securityhub:DisassociateMembers",
"securityhub:UpdateActionTarget"
],
"Resource": "*"
}
]
}
Raw
DenyExceptTokyo.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:*",
"ecs:*",
"ecr:*",
"rds:*",
"elasticbeanstalk:*",
"elasticache:*",
"lambda:*",
"dynamodb:*",
"athena:*",
"logs:*",
"redshift:*",
"codebuild:*",
"codecommit:*",
"codedeploy:*",
"codepipeline:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"ap-northeast-1"
]
}
}
}
]
}
Raw
PreventDangerousOperations.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"rds:DeleteDBCluster",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteDBInstanceAutomatedBackup",
"rds:DeleteGlobalCluster",
"elasticache:DeleteCacheCluster",
"elasticache:DeleteSnapshot",
"dynamodb:DeleteBackup",
"dynamodb:DeleteTable",
"cognito-idp:DeleteUserPool",
"s3:DeleteBucket"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::*:root",
"arn:aws:iam::*:role/super-admin"
]
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment