wetherc/scp.json

## scp.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootUser",
      "Effect": "Deny",
      "NotAction": [
        "organizations:*",
        "aws-portal:*",
        "awsbillingconsole:*",
        "cur:*",
        "ce:*",
        "pricing:*",
        "purchase-orders:*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    },
    {
      "Sid": "RestrictRegion",
      "Effect": "Deny",
      "NotAction": [
        "a4b:*",
        "acm:*",
        "aws-marketplace-management:*",
        "aws-marketplace:*",
        "aws-portal:*",
        "awsbillingconsole:*",
        "budgets:*",
        "ce:*",
        "chime:*",
        "cloudfront:*",
        "config:*",
        "cur:*",
        "directconnect:*",
        "ec2:DescribeRegions",
        "ec2:DescribeTransitGateways",
        "ec2:DescribeVpnGateways",
        "fms:*",
        "globalaccelerator:*",
        "health:*",
        "iam:*",
        "importexport:*",
        "kms:*",
        "mobileanalytics:*",
        "networkmanager:*",
        "organizations:*",
        "pricing:*",
        "route53:*",
        "route53domains:*",
        "s3:GetAccountPublic*",
        "s3:ListAllMyBuckets",
        "s3:PutAccountPublic*",
        "shield:*",
        "sts:*",
        "support:*",
        "trustedadvisor:*",
        "waf-regional:*",
        "waf:*",
        "wafv2:*",
        "wellarchitected:*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "us-east-2"
          ]
        }
      }
    },
    {
      "Sid": "DenyLeaveOrganization",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "DenyDisableGuardDuty",
      "Effect": "Deny",
      "Action": [
        "guardduty:AcceptInvitation",
        "guardduty:ArchiveFindings",
        "guardduty:CreateDetector",
        "guardduty:CreateFilter",
        "guardduty:CreateIPSet",
        "guardduty:CreateMembers",
        "guardduty:CreatePublishingDestination",
        "guardduty:CreateSampleFindings",
        "guardduty:CreateThreatIntelSet",
        "guardduty:DeclineInvitations",
        "guardduty:DeleteDetector",
        "guardduty:DeleteFilter",
        "guardduty:DeleteInvitations",
        "guardduty:DeleteIPSet",
        "guardduty:DeleteMembers",
        "guardduty:DeletePublishingDestination",
        "guardduty:DeleteThreatIntelSet",
        "guardduty:DisassociateFromMasterAccount",
        "guardduty:DisassociateMembers",
        "guardduty:InviteMembers",
        "guardduty:StartMonitoringMembers",
        "guardduty:StopMonitoringMembers",
        "guardduty:TagResource",
        "guardduty:UnarchiveFindings",
        "guardduty:UntagResource",
        "guardduty:UpdateDetector",
        "guardduty:UpdateFilter",
        "guardduty:UpdateFindingsFeedback",
        "guardduty:UpdateIPSet",
        "guardduty:UpdatePublishingDestination",
        "guardduty:UpdateThreatIntelSet"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "DenyDisableSecurityServices",
      "Effect": "Deny",
      "Action": [
        "access-analyzer:DeleteAnalyzer",
        "ec2:DisableEbsEncryptionByDefault",
        "s3:PutAccountPublicAccessBlock"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "DenyExternalPrincipalAccess",
      "Effect": "Deny",
      "Action": [
        "ram:CreateResourceShare",
        "ram:UpdateResourceShare"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Bool": {
          "ram:RequestedAllowsExternalPrincipals": "true"
        }
      }
    },
    {
      "Sid": "DenyExternalOUAccess",
      "Effect": "Deny",
      "Action": [
        "ram:CreateResourceShare",
        "ram:AssociateResourceShare"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "ForAnyValue:StringLike": {
          "ram:Principal": [
            "arn:aws:organizations::*:organization/*",
            "arn:aws:organizations::*:ou/*"
          ]
        }
      }
    },
    {
      "Sid": "DenyDeleteFlowLogs",
      "Effect": "Deny",
      "Action": [
        "ec2:DeleteFlowLogs",
        "logs:DeleteLogGroup",
        "logs:DeleteLogStream"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "DenyOrgModNonRoot",
      "Effect": "Deny",
      "Action": [
        "organizations:AttachPolicy",
        "organizations:CreateAccount",
        "organizations:CreateOrganization",
        "organizations:CreateGovCloudAccount",
        "organizations:CreateOrganizationalUnit",
        "organizations:CreatePolicy",
        "organizations:DeleteOrganization",
        "organizations:DeleteOrganizationalUnit",
        "organizations:DeletePolicy",
        "organizations:DeregisterDelegatedAdministrator",
        "organizations:DetachPolicy",
        "organizations:DisableAWSServiceAccess",
        "organizations:DisablePolicyType",
        "organizations:EnableAWSServiceAccess",
        "organizations:EnableAllFeatures",
        "organizations:EnablePolicyType",
        "organizations:InviteAccountToOrganization",
        "organizations:LeaveOrganization",
        "organizations:MoveAccount",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:RemoveAccountFromOrganization",
        "organizations:UpdateOrganizationalUnit",
        "organizations:UpdatePolicy"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "DenyRootUser",
	"Effect": "Deny",
	"NotAction": [
	"organizations:*",
	"aws-portal:*",
	"awsbillingconsole:*",
	"cur:*",
	"ce:*",
	"pricing:*",
	"purchase-orders:*"
	],
	"Resource": [
	"*"
	],
	"Condition": {
	"StringLike": {
	"aws:PrincipalArn": "arn:aws:iam::*:root"
	}
	}
	},
	{
	"Sid": "RestrictRegion",
	"Effect": "Deny",
	"NotAction": [
	"a4b:*",
	"acm:*",
	"aws-marketplace-management:*",
	"aws-marketplace:*",
	"aws-portal:*",
	"awsbillingconsole:*",
	"budgets:*",
	"ce:*",
	"chime:*",
	"cloudfront:*",
	"config:*",
	"cur:*",
	"directconnect:*",
	"ec2:DescribeRegions",
	"ec2:DescribeTransitGateways",
	"ec2:DescribeVpnGateways",
	"fms:*",
	"globalaccelerator:*",
	"health:*",
	"iam:*",
	"importexport:*",
	"kms:*",
	"mobileanalytics:*",
	"networkmanager:*",
	"organizations:*",
	"pricing:*",
	"route53:*",
	"route53domains:*",
	"s3:GetAccountPublic*",
	"s3:ListAllMyBuckets",
	"s3:PutAccountPublic*",
	"shield:*",
	"sts:*",
	"support:*",
	"trustedadvisor:*",
	"waf-regional:*",
	"waf:*",
	"wafv2:*",
	"wellarchitected:*"
	],
	"Resource": [
	"*"
	],
	"Condition": {
	"StringNotEquals": {
	"aws:RequestedRegion": [
	"us-east-1",
	"us-east-2"
	]
	}
	}
	},
	{
	"Sid": "DenyLeaveOrganization",
	"Effect": "Deny",
	"Action": "organizations:LeaveOrganization",
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "DenyDisableGuardDuty",
	"Effect": "Deny",
	"Action": [
	"guardduty:AcceptInvitation",
	"guardduty:ArchiveFindings",
	"guardduty:CreateDetector",
	"guardduty:CreateFilter",
	"guardduty:CreateIPSet",
	"guardduty:CreateMembers",
	"guardduty:CreatePublishingDestination",
	"guardduty:CreateSampleFindings",
	"guardduty:CreateThreatIntelSet",
	"guardduty:DeclineInvitations",
	"guardduty:DeleteDetector",
	"guardduty:DeleteFilter",
	"guardduty:DeleteInvitations",
	"guardduty:DeleteIPSet",
	"guardduty:DeleteMembers",
	"guardduty:DeletePublishingDestination",
	"guardduty:DeleteThreatIntelSet",
	"guardduty:DisassociateFromMasterAccount",
	"guardduty:DisassociateMembers",
	"guardduty:InviteMembers",
	"guardduty:StartMonitoringMembers",
	"guardduty:StopMonitoringMembers",
	"guardduty:TagResource",
	"guardduty:UnarchiveFindings",
	"guardduty:UntagResource",
	"guardduty:UpdateDetector",
	"guardduty:UpdateFilter",
	"guardduty:UpdateFindingsFeedback",
	"guardduty:UpdateIPSet",
	"guardduty:UpdatePublishingDestination",
	"guardduty:UpdateThreatIntelSet"
	],
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "DenyDisableSecurityServices",
	"Effect": "Deny",
	"Action": [
	"access-analyzer:DeleteAnalyzer",
	"ec2:DisableEbsEncryptionByDefault",
	"s3:PutAccountPublicAccessBlock"
	],
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "DenyExternalPrincipalAccess",
	"Effect": "Deny",
	"Action": [
	"ram:CreateResourceShare",
	"ram:UpdateResourceShare"
	],
	"Resource": [
	"*"
	],
	"Condition": {
	"Bool": {
	"ram:RequestedAllowsExternalPrincipals": "true"
	}
	}
	},
	{
	"Sid": "DenyExternalOUAccess",
	"Effect": "Deny",
	"Action": [
	"ram:CreateResourceShare",
	"ram:AssociateResourceShare"
	],
	"Resource": [
	"*"
	],
	"Condition": {
	"ForAnyValue:StringLike": {
	"ram:Principal": [
	"arn:aws:organizations:::organization/",
	"arn:aws:organizations:::ou/"
	]
	}
	}
	},
	{
	"Sid": "DenyDeleteFlowLogs",
	"Effect": "Deny",
	"Action": [
	"ec2:DeleteFlowLogs",
	"logs:DeleteLogGroup",
	"logs:DeleteLogStream"
	],
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "DenyOrgModNonRoot",
	"Effect": "Deny",
	"Action": [
	"organizations:AttachPolicy",
	"organizations:CreateAccount",
	"organizations:CreateOrganization",
	"organizations:CreateGovCloudAccount",
	"organizations:CreateOrganizationalUnit",
	"organizations:CreatePolicy",
	"organizations:DeleteOrganization",
	"organizations:DeleteOrganizationalUnit",
	"organizations:DeletePolicy",
	"organizations:DeregisterDelegatedAdministrator",
	"organizations:DetachPolicy",
	"organizations:DisableAWSServiceAccess",
	"organizations:DisablePolicyType",
	"organizations:EnableAWSServiceAccess",
	"organizations:EnableAllFeatures",
	"organizations:EnablePolicyType",
	"organizations:InviteAccountToOrganization",
	"organizations:LeaveOrganization",
	"organizations:MoveAccount",
	"organizations:RegisterDelegatedAdministrator",
	"organizations:RemoveAccountFromOrganization",
	"organizations:UpdateOrganizationalUnit",
	"organizations:UpdatePolicy"
	],
	"Resource": [
	"*"
	],
	"Condition": {
	"StringNotLike": {
	"aws:PrincipalArn": "arn:aws:iam::*:root"
	}
	}
	}
	]
	}