Merge pull request #76 from dgwhited/main

update region restriction with global services
ScaleSec · Jun 8, 2021 · 521ac29 · 521ac29
2 parents 65223b7 + e030048
commit 521ac29
Showing 1 changed file with 33 additions and 6 deletions.
diff --git a/security_controls_scp/modules/region/region_restriction.tf b/security_controls_scp/modules/region/region_restriction.tf
@@ -5,17 +5,44 @@ data "aws_iam_policy_document" "region_restriction" {
     sid = "DenyRegionUsage"
 
     not_actions = [
+      "a4b:*",
+      "acm:*",
+      "aws-marketplace-management:*",
+      "aws-marketplace:*",
+      "aws-portal:*",
+      "budgets:*",
+      "ce:*",
+      "chime:*",
       "cloudfront:*",
+      "config:*",
+      "cur:*",
+      "directconnect:*",
+      "ec2:DescribeRegions",
+      "ec2:DescribeTransitGateways",
+      "ec2:DescribeVpnGateways",
+      "fms:*",
+      "globalaccelerator:*",
+      "health:*",
       "iam:*",
+      "importexport:*",
+      "kms:*",
+      "mobileanalytics:*",
+      "networkmanager:*",
+      "organizations:*",
+      "pricing:*",
       "route53:*",
+      "route53domains:*",
+      "s3:GetAccountPublic*",
+      "s3:ListAllMyBuckets",
+      "s3:PutAccountPublic*",
+      "shield:*",
+      "sts:*",
       "support:*",
-      "organizations:*",
+      "trustedadvisor:*",
+      "waf-regional:*",
       "waf:*",
-      "budgets:*",
-      "globalaccelerator:*",
-      "cur:*",
-      "ce:*",
-      "directconnect:*"
+      "wafv2:*",
+      "wellarchitected:*"
     ]
 
     resources = [