Skip to content

Commit

Permalink
Add SCP policies and update some
Browse files Browse the repository at this point in the history
  • Loading branch information
@snemetz
snemetz committed Mar 12, 2022
1 parent c6c05a6 commit 2106173
Show file tree
Hide file tree
Showing 7 changed files with 35 additions and 2 deletions.
1 change: 1 addition & 0 deletions modules/scp/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ No modules.
| [aws_organizations_policy.deny_guardduty_modify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
| [aws_organizations_policy.deny_member_leaving](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
| [aws_organizations_policy.deny_s3_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
| [aws_organizations_policy.deny_s3_unsecure_requests](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
| [aws_organizations_policy.deny_securityhub_disable](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
| [aws_organizations_policy.require_s3_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |

Expand Down
3 changes: 3 additions & 0 deletions modules/scp/REFERENCES.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@

https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html
https://github.com/ScaleSec/terraform_aws_scp
2 changes: 1 addition & 1 deletion modules/scp/files/deny-cloudtrail-tamper.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
"Effect": "Deny",
"Action": [
"cloudtrail:DeleteTrail",
"cloudtrail:StopLogging",
"cloudtrail:PutEventSelectors",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail"
],
"Resource": [
Expand Down
3 changes: 3 additions & 0 deletions modules/scp/files/deny-config-modify.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,11 @@
"Effect": "Deny",
"Action": [
"config:DeleteConfigRule",
"config:DeleteConfigurationAggregator",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DeleteEvaluationResults",
"config:DeleteRetentionConfiguration",
"config:StopConfigurationRecorder"
],
"Resource": "*"
Expand Down
18 changes: 18 additions & 0 deletions modules/scp/files/deny-s3-unsecure-requests.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyS3UnsecureRequests",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
2 changes: 1 addition & 1 deletion modules/scp/files/require-s3-encryption.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
"s3:x-amz-server-side-encryption": ["AES256", "aws:kms"]
}
}
},
Expand Down
8 changes: 8 additions & 0 deletions modules/scp/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,14 @@ resource "aws_organizations_policy" "deny_s3_public" {
type = "SERVICE_CONTROL_POLICY"
content = file("${path.module}/files/deny-s3-public.json")
}
resource "aws_organizations_policy" "deny_s3_unsecure_requests" {
count = local.enable && var.enable_s3 ? 1 : 0
name = "deny_s3_unsecure_requests"
description = "Prevent S3 unsecured requests"
tags = var.tags
type = "SERVICE_CONTROL_POLICY"
content = file("${path.module}/files/deny-s3-unsecure-requests.json")
}
resource "aws_organizations_policy" "require_s3_encryption" {
count = local.enable && var.enable_s3 ? 1 : 0
name = "require_s3_encryption"
Expand Down

0 comments on commit 2106173

Please sign in to comment.