diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json index 6b0a1dceb..1c66bb0a5 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json @@ -60,6 +60,7 @@ "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:PutReplicationConfiguration", + "s3:PutBucketLogging", "s3:PutBucketPolicy", "s3:ReplicateDelete", "s3:PutObjectRetention", @@ -76,7 +77,7 @@ } }, { - "Sid": "ProtectCloudFormation", + "Sid": "DenyCFN", "Effect": "Deny", "Action": ["cloudformation:*"], "Resource": [ @@ -94,7 +95,7 @@ } }, { - "Sid": "DenyAlarmDeletion", + "Sid": "DenyAlarms", "Effect": "Deny", "Action": [ "cloudwatch:DeleteAlarms", @@ -120,7 +121,7 @@ } }, { - "Sid": "ProtectKeyRoles", + "Sid": "DenyKeyRoles", "Effect": "Deny", "Action": ["iam:*"], "Resource": [ @@ -194,7 +195,7 @@ "Resource": "*" }, { - "Sid": "DenyLambdaDel", + "Sid": "DenyLambda", "Effect": "Deny", "Action": [ "lambda:AddPermission", @@ -223,7 +224,7 @@ } }, { - "Sid": "BlockOther", + "Sid": "DenyOther", "Effect": "Deny", "Action": [ "aws-portal:ModifyAccount", diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json index aec4f82a2..7271e5190 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json @@ -24,13 +24,13 @@ "Sid": "DenyRoot", "Effect": "Deny", "NotAction": [ - "iam:CreateVirtualMFADevice", - "iam:EnableMFADevice", - "iam:GetUser", - "iam:ListMFADevices", - "iam:ListVirtualMFADevices", - "iam:ResyncMFADevice", - "sts:GetSessionToken" + "iam:CreateVirtualMFADevice", + "iam:EnableMFADevice", + "iam:GetUser", + "iam:ListMFADevices", + "iam:ListVirtualMFADevices", + "iam:ResyncMFADevice", + "sts:GetSessionToken" ], "Resource": "*", "Condition": { @@ -119,6 +119,8 @@ "guardduty:UpdateDetector", "guardduty:UpdateFindingsFeedback", "guardduty:UpdatePublishingDestination", + "guardduty:UpdateOrganizationConfiguration", + "guardduty:DisableOrganizationAdminAccount", "guardduty:CreateMembers", "guardduty:InviteMembers", "securityhub:AcceptInvitation", @@ -133,6 +135,23 @@ "securityhub:DisassociateMembers", "securityhub:DeleteActionTarget", "securityhub:BatchDisableStandards", + "securityhub:UpdateSecurityHubConfiguration", + "securityhub:UpdateStandardsControl", + "macie2:AcceptInvitation", + "macie2:CreateInvitations", + "macie2:CreateMember", + "macie2:DeclineInvitations", + "macie2:DeleteInvitations", + "macie2:DeleteMember", + "macie2:DisableMacie", + "macie2:DisableOrganizationAdminAccount", + "macie2:DisassociateFromMasterAccount", + "macie2:DisassociateMember", + "macie2:EnableMacie", + "macie2:EnableOrganizationAdminAccount", + "macie2:UpdateMacieSession", + "macie2:UpdateMemberSession", + "macie2:UpdateOrganizationConfiguration", "fms:DisassociateAdminAccount", "access-analyzer:DeleteAnalyzer", "account:EnableRegion", diff --git a/reference-artifacts/SCPs/Quarantine-Deny-All.json b/reference-artifacts/SCPs/Quarantine-Deny-All.json deleted file mode 100644 index 85a8e2853..000000000 --- a/reference-artifacts/SCPs/Quarantine-Deny-All.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyAllAWSServicesExceptBreakglassRoles", - "Effect": "Deny", - "Action": "*", - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - } - ] -} diff --git a/reference-artifacts/SCPs/Quarantine-New-Object.json b/reference-artifacts/SCPs/Quarantine-New-Object.json index cb2ff5bce..3900da49b 100644 --- a/reference-artifacts/SCPs/Quarantine-New-Object.json +++ b/reference-artifacts/SCPs/Quarantine-New-Object.json @@ -1,20 +1,20 @@ { "Version": "2012-10-17", "Statement": [ - { - "Sid": "DenyAllAWSServicesExceptBreakglassRoles", - "Effect": "Deny", - "Action": "*", - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/aws*", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } + { + "Sid": "DenyAllAWSServicesExceptBreakglassRoles", + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/aws*", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } } + } ] -} \ No newline at end of file +} diff --git a/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json b/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json index 8957abb99..3f999c513 100644 --- a/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json +++ b/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json @@ -15,7 +15,8 @@ "sns:Unsubscribe" ], "Resource":[ - "arn:aws:sns:*:*:AWS-Landing-Zone*" + "arn:aws:sns:*:*:AWS-Landing-Zone*", + "arn:aws:sns:*:*:PBMMAccel-*" ], "Effect":"Deny", "Sid":"GRSNSSUBSCRIPTIONPOLICY" @@ -36,7 +37,8 @@ "cloudtrail:UpdateTrail" ], "Resource":[ - "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" + "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*", + "arn:aws:cloudtrail:*:*:trail/PBMMAccel-*" ], "Effect":"Deny", "Sid":"GRCLOUDTRAILENABLED" @@ -58,7 +60,8 @@ "sns:SetTopicAttributes" ], "Resource":[ - "arn:aws:sns:*:*:AWS-Landing-Zone-*" + "arn:aws:sns:*:*:AWS-Landing-Zone-*", + "arn:aws:sns:*:*:PBMMAccel-*" ], "Effect":"Deny", "Sid":"GRSNSTOPICPOLICY" @@ -162,7 +165,8 @@ "events:DeleteRule" ], "Resource":[ - "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" + "arn:aws:events:*:*:rule/AWS-Landing-Zone-*", + "arn:aws:events:*:*:rule/PBMMAccel-*" ], "Effect":"Deny", "Sid":"GRCLOUDWATCHEVENTPOLICY" diff --git a/reference-artifacts/config-pbmm-standalone-full.json b/reference-artifacts/config-pbmm-standalone-full.json index eedae9601..039e9759f 100644 --- a/reference-artifacts/config-pbmm-standalone-full.json +++ b/reference-artifacts/config-pbmm-standalone-full.json @@ -1173,9 +1173,6 @@ }, "log-retention": 180, "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 - } }, "iam": { "users": [ diff --git a/reference-artifacts/config-pbmm-standalone-lite.json b/reference-artifacts/config-pbmm-standalone-lite.json index 4dea18b0c..c15885ddf 100644 --- a/reference-artifacts/config-pbmm-standalone-lite.json +++ b/reference-artifacts/config-pbmm-standalone-lite.json @@ -1116,9 +1116,6 @@ }, "log-retention": 180, "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 - } }, "iam": { "users": [ diff --git a/reference-artifacts/config.example.json b/reference-artifacts/config.example.json index 95d0ee63a..9fb30ad4a 100644 --- a/reference-artifacts/config.example.json +++ b/reference-artifacts/config.example.json @@ -1185,9 +1185,6 @@ }, "log-retention": 180, "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 - } }, "iam": { "users": [