Skip to content

Instantly share code, notes, and snippets.

@wetherc
Created June 16, 2022 15:53
Show Gist options
  • Save wetherc/ef25687a1d9fd5a92d04edea76bbe93a to your computer and use it in GitHub Desktop.
Save wetherc/ef25687a1d9fd5a92d04edea76bbe93a to your computer and use it in GitHub Desktop.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyRootUser",
"Effect": "Deny",
"NotAction": [
"organizations:*",
"aws-portal:*",
"awsbillingconsole:*",
"cur:*",
"ce:*",
"pricing:*",
"purchase-orders:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
},
{
"Sid": "RestrictRegion",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"awsbillingconsole:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-east-2"
]
}
}
},
{
"Sid": "DenyLeaveOrganization",
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": [
"*"
]
},
{
"Sid": "DenyDisableGuardDuty",
"Effect": "Deny",
"Action": [
"guardduty:AcceptInvitation",
"guardduty:ArchiveFindings",
"guardduty:CreateDetector",
"guardduty:CreateFilter",
"guardduty:CreateIPSet",
"guardduty:CreateMembers",
"guardduty:CreatePublishingDestination",
"guardduty:CreateSampleFindings",
"guardduty:CreateThreatIntelSet",
"guardduty:DeclineInvitations",
"guardduty:DeleteDetector",
"guardduty:DeleteFilter",
"guardduty:DeleteInvitations",
"guardduty:DeleteIPSet",
"guardduty:DeleteMembers",
"guardduty:DeletePublishingDestination",
"guardduty:DeleteThreatIntelSet",
"guardduty:DisassociateFromMasterAccount",
"guardduty:DisassociateMembers",
"guardduty:InviteMembers",
"guardduty:StartMonitoringMembers",
"guardduty:StopMonitoringMembers",
"guardduty:TagResource",
"guardduty:UnarchiveFindings",
"guardduty:UntagResource",
"guardduty:UpdateDetector",
"guardduty:UpdateFilter",
"guardduty:UpdateFindingsFeedback",
"guardduty:UpdateIPSet",
"guardduty:UpdatePublishingDestination",
"guardduty:UpdateThreatIntelSet"
],
"Resource": [
"*"
]
},
{
"Sid": "DenyDisableSecurityServices",
"Effect": "Deny",
"Action": [
"access-analyzer:DeleteAnalyzer",
"ec2:DisableEbsEncryptionByDefault",
"s3:PutAccountPublicAccessBlock"
],
"Resource": [
"*"
]
},
{
"Sid": "DenyExternalPrincipalAccess",
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:UpdateResourceShare"
],
"Resource": [
"*"
],
"Condition": {
"Bool": {
"ram:RequestedAllowsExternalPrincipals": "true"
}
}
},
{
"Sid": "DenyExternalOUAccess",
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:AssociateResourceShare"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringLike": {
"ram:Principal": [
"arn:aws:organizations::*:organization/*",
"arn:aws:organizations::*:ou/*"
]
}
}
},
{
"Sid": "DenyDeleteFlowLogs",
"Effect": "Deny",
"Action": [
"ec2:DeleteFlowLogs",
"logs:DeleteLogGroup",
"logs:DeleteLogStream"
],
"Resource": [
"*"
]
},
{
"Sid": "DenyOrgModNonRoot",
"Effect": "Deny",
"Action": [
"organizations:AttachPolicy",
"organizations:CreateAccount",
"organizations:CreateOrganization",
"organizations:CreateGovCloudAccount",
"organizations:CreateOrganizationalUnit",
"organizations:CreatePolicy",
"organizations:DeleteOrganization",
"organizations:DeleteOrganizationalUnit",
"organizations:DeletePolicy",
"organizations:DeregisterDelegatedAdministrator",
"organizations:DetachPolicy",
"organizations:DisableAWSServiceAccess",
"organizations:DisablePolicyType",
"organizations:EnableAWSServiceAccess",
"organizations:EnableAllFeatures",
"organizations:EnablePolicyType",
"organizations:InviteAccountToOrganization",
"organizations:LeaveOrganization",
"organizations:MoveAccount",
"organizations:RegisterDelegatedAdministrator",
"organizations:RemoveAccountFromOrganization",
"organizations:UpdateOrganizationalUnit",
"organizations:UpdatePolicy"
],
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment