Skip to content
This repository has been archived by the owner on Nov 27, 2023. It is now read-only.

Appsilon/terraform-aws-ou-scp

BranchesTags

Repository files navigation

AWS OU SCP Terraform Module

Module initially comes from Trussworks and is adjusted to reflect Appsilon custom policies, like require_ec2_tags i.e.

Supports two main use cases:

  • Combines multiple Service Control Policy (SCP) statements - combining multiple policy statements into a single policy allows more than 5 policies to be be applied to a single Organizational Unit (OU).
  • Alternatively, creates a "Deny All Access" Service Control Policy.

Alternatively, enables creation of a "Deny All Access" Service Control Policy.

Policy options (listed by sid) are:

  • Deny leaving AWS Organizations (DenyLeavingOrgs)
  • Deny creating IAM users or access keys (DenyCreatingIAMUsers)
  • Deny deleting KMS Keys (DenyDeletingKMSKeys)
  • Deny deleting Route53 Hosted Zones (DenyDeletingRoute53Zones)
  • Deny deleting VPC Flow logs, Cloudwatch log groups, and Cloudwatch log streams (DenyDeletingCloudwatchLogs)
  • Deny root account (DenyRootAccount)
  • Protect S3 Buckets (ProtectS3Buckets)
  • Deny S3 Buckets Public Access (DenyS3BucketsPublicAccess)
  • Protect IAM Roles (ProtectIAMRoles)
  • Restrict Regional Operations (LimitRegions)
  • Require S3 encryption (DenyIncorrectEncryptionHeader + DenyUnEncryptedObjectUploads)

Usage for combined policy statements

To include a policy in your combined policy block, set it to true. Otherwise omit the policy variable.

module "github_terraform_aws_ou_scp" {
  source = "appsilon/ou-scp/aws"
  target =  aws_organizations_organizational_unit.my_ou

  # don't allow all accounts to be able to leave the org
  deny_leaving_orgs             = true
  # applies to accounts that are not managing IAM users
  deny_creating_iam_users       = true
  # don't allow deleting KMS keys
  deny_deleting_kms_keys        = true
  # don't allow deleting Route53 zones
  deny_deleting_route53_zones   = true
  # don't allow deleting CloudWatch logs
  deny_deleting_cloudwatch_logs = true
  # don't allow access to the root user
  deny_root_account             = true

  protect_s3_buckets            = true
  # protect terraform statefile bucket
  protect_s3_bucket_resources   = [
    "arn:aws:s3:::prod-terraform-state-us-west-2",
    "arn:aws:s3:::prod-terraform-state-us-west-2/*"
  ]

  # don't allow public access to bucket
  deny_s3_buckets_public_access = true
  deny_s3_bucket_public_access_resources = [
    "arn:aws:s3:::log-delivery-august-2020"
  ]

  protect_iam_roles             = true
  # - protect OrganizationAccountAccessRole
  protect_iam_role_resources     = [
    "arn:aws:iam::*:role/OrganizationAccountAccessRole"
  ]

  # restrict region-specific operations to us-west-2
  limit_regions                 = true
  # - restrict region-specific operations to us-west-2
  allowed_regions               = ["us-west-2"]

  # require s3 objects be encrypted
  require_s3_encryption = true

  # SCP policy tags
  tags = {
    managed_by = "terraform"
  }
}

Usage for a policy which denies all access

module "github_terraform_aws_ou_scp" {
  source = "appsilon/ou-scp/aws"
  target =  aws_organizations_organizational_unit.my_ou

  # don't allow any access at all
  deny_all=true
}

Requirements

Name Version
terraform >= 1.0.0
aws >= 3.45.0

Providers

Name Version
aws 3.45.0

Modules

No modules.

Resources

Name Type
aws_organizations_policy.generated resource
aws_organizations_policy_attachment.generated resource
aws_iam_policy_document.combined_policy_block data source
aws_iam_policy_document.deny_all_access data source

Inputs

Name Description Type Default Required
allowed_regions AWS Regions allowed for use (for use with the restrict regions SCP) list(string) 
[
  ""
]
 no
deny_all If false, create a combined policy. If true, deny all access bool false no
deny_creating_iam_users DenyCreatingIAMUsers in the OU policy. bool false no
deny_deleting_cloudwatch_logs DenyDeletingCloudwatchLogs in the OU policy. bool false no
deny_deleting_kms_keys DenyDeletingKMSKeys in the OU policy. bool false no
deny_deleting_route53_zones DenyDeletingRoute53Zones in the OU policy. bool false no
deny_leaving_orgs DenyLeavingOrgs in the OU policy. bool false no
deny_root_account DenyRootAccount in the OU policy. bool false no
deny_s3_bucket_public_access_resources S3 bucket resource ARNs to block public access list(string) 
[
  ""
]
 no
deny_s3_buckets_public_access DenyS3BucketsPublicAccess in the OU policy. bool false no
limit_regions LimitRegions in the OU policy. bool false no
protect_iam_role_resources IAM role resource ARNs to protect from modification and deletion list(string) 
[
  ""
]
 no
protect_iam_roles ProtectIAMRoles in the OU policy. bool false no
protect_s3_bucket_resources S3 bucket resource ARNs to protect from bucket and object deletion list(string) 
[
  ""
]
 no
protect_s3_buckets ProtectS3Buckets in the OU policy. bool false no
require_ec2_tags RequireTagsForEC2InstancesAndVolumes in the OU policy bool false no
require_s3_encryption DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy bool false no
tags Tags applied to the SCP policy map(string) {} no
target OU resource to attach SCP 
object({
    name = string
    id   = string
  })
 n/a yes

Outputs

No outputs.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks

About

No description or website provided.

Topics

terraform-module

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 2

v1.0.1 Latest
Jun 28, 2021
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages