Created
June 16, 2022 15:53
-
-
Save wetherc/ef25687a1d9fd5a92d04edea76bbe93a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "DenyRootUser", | |
"Effect": "Deny", | |
"NotAction": [ | |
"organizations:*", | |
"aws-portal:*", | |
"awsbillingconsole:*", | |
"cur:*", | |
"ce:*", | |
"pricing:*", | |
"purchase-orders:*" | |
], | |
"Resource": [ | |
"*" | |
], | |
"Condition": { | |
"StringLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:root" | |
} | |
} | |
}, | |
{ | |
"Sid": "RestrictRegion", | |
"Effect": "Deny", | |
"NotAction": [ | |
"a4b:*", | |
"acm:*", | |
"aws-marketplace-management:*", | |
"aws-marketplace:*", | |
"aws-portal:*", | |
"awsbillingconsole:*", | |
"budgets:*", | |
"ce:*", | |
"chime:*", | |
"cloudfront:*", | |
"config:*", | |
"cur:*", | |
"directconnect:*", | |
"ec2:DescribeRegions", | |
"ec2:DescribeTransitGateways", | |
"ec2:DescribeVpnGateways", | |
"fms:*", | |
"globalaccelerator:*", | |
"health:*", | |
"iam:*", | |
"importexport:*", | |
"kms:*", | |
"mobileanalytics:*", | |
"networkmanager:*", | |
"organizations:*", | |
"pricing:*", | |
"route53:*", | |
"route53domains:*", | |
"s3:GetAccountPublic*", | |
"s3:ListAllMyBuckets", | |
"s3:PutAccountPublic*", | |
"shield:*", | |
"sts:*", | |
"support:*", | |
"trustedadvisor:*", | |
"waf-regional:*", | |
"waf:*", | |
"wafv2:*", | |
"wellarchitected:*" | |
], | |
"Resource": [ | |
"*" | |
], | |
"Condition": { | |
"StringNotEquals": { | |
"aws:RequestedRegion": [ | |
"us-east-1", | |
"us-east-2" | |
] | |
} | |
} | |
}, | |
{ | |
"Sid": "DenyLeaveOrganization", | |
"Effect": "Deny", | |
"Action": "organizations:LeaveOrganization", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "DenyDisableGuardDuty", | |
"Effect": "Deny", | |
"Action": [ | |
"guardduty:AcceptInvitation", | |
"guardduty:ArchiveFindings", | |
"guardduty:CreateDetector", | |
"guardduty:CreateFilter", | |
"guardduty:CreateIPSet", | |
"guardduty:CreateMembers", | |
"guardduty:CreatePublishingDestination", | |
"guardduty:CreateSampleFindings", | |
"guardduty:CreateThreatIntelSet", | |
"guardduty:DeclineInvitations", | |
"guardduty:DeleteDetector", | |
"guardduty:DeleteFilter", | |
"guardduty:DeleteInvitations", | |
"guardduty:DeleteIPSet", | |
"guardduty:DeleteMembers", | |
"guardduty:DeletePublishingDestination", | |
"guardduty:DeleteThreatIntelSet", | |
"guardduty:DisassociateFromMasterAccount", | |
"guardduty:DisassociateMembers", | |
"guardduty:InviteMembers", | |
"guardduty:StartMonitoringMembers", | |
"guardduty:StopMonitoringMembers", | |
"guardduty:TagResource", | |
"guardduty:UnarchiveFindings", | |
"guardduty:UntagResource", | |
"guardduty:UpdateDetector", | |
"guardduty:UpdateFilter", | |
"guardduty:UpdateFindingsFeedback", | |
"guardduty:UpdateIPSet", | |
"guardduty:UpdatePublishingDestination", | |
"guardduty:UpdateThreatIntelSet" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "DenyDisableSecurityServices", | |
"Effect": "Deny", | |
"Action": [ | |
"access-analyzer:DeleteAnalyzer", | |
"ec2:DisableEbsEncryptionByDefault", | |
"s3:PutAccountPublicAccessBlock" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "DenyExternalPrincipalAccess", | |
"Effect": "Deny", | |
"Action": [ | |
"ram:CreateResourceShare", | |
"ram:UpdateResourceShare" | |
], | |
"Resource": [ | |
"*" | |
], | |
"Condition": { | |
"Bool": { | |
"ram:RequestedAllowsExternalPrincipals": "true" | |
} | |
} | |
}, | |
{ | |
"Sid": "DenyExternalOUAccess", | |
"Effect": "Deny", | |
"Action": [ | |
"ram:CreateResourceShare", | |
"ram:AssociateResourceShare" | |
], | |
"Resource": [ | |
"*" | |
], | |
"Condition": { | |
"ForAnyValue:StringLike": { | |
"ram:Principal": [ | |
"arn:aws:organizations::*:organization/*", | |
"arn:aws:organizations::*:ou/*" | |
] | |
} | |
} | |
}, | |
{ | |
"Sid": "DenyDeleteFlowLogs", | |
"Effect": "Deny", | |
"Action": [ | |
"ec2:DeleteFlowLogs", | |
"logs:DeleteLogGroup", | |
"logs:DeleteLogStream" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "DenyOrgModNonRoot", | |
"Effect": "Deny", | |
"Action": [ | |
"organizations:AttachPolicy", | |
"organizations:CreateAccount", | |
"organizations:CreateOrganization", | |
"organizations:CreateGovCloudAccount", | |
"organizations:CreateOrganizationalUnit", | |
"organizations:CreatePolicy", | |
"organizations:DeleteOrganization", | |
"organizations:DeleteOrganizationalUnit", | |
"organizations:DeletePolicy", | |
"organizations:DeregisterDelegatedAdministrator", | |
"organizations:DetachPolicy", | |
"organizations:DisableAWSServiceAccess", | |
"organizations:DisablePolicyType", | |
"organizations:EnableAWSServiceAccess", | |
"organizations:EnableAllFeatures", | |
"organizations:EnablePolicyType", | |
"organizations:InviteAccountToOrganization", | |
"organizations:LeaveOrganization", | |
"organizations:MoveAccount", | |
"organizations:RegisterDelegatedAdministrator", | |
"organizations:RemoveAccountFromOrganization", | |
"organizations:UpdateOrganizationalUnit", | |
"organizations:UpdatePolicy" | |
], | |
"Resource": [ | |
"*" | |
], | |
"Condition": { | |
"StringNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:root" | |
} | |
} | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment