From f3b0b009dbbed495a4ae782ce72f55de753b8000 Mon Sep 17 00:00:00 2001 From: Brian969 <56414362+Brian969@users.noreply.github.com> Date: Sun, 23 Aug 2020 23:26:43 -0400 Subject: [PATCH 1/2] Update SCPs for Standalone Version --- .../SCPs/PBMMAccel-Guardrails-Part1.json | 11 ++++--- .../SCPs/PBMMAccel-Guardrails-Part2.json | 33 +++++++++++++++---- .../SCPs/Quarantine-Deny-All.json | 19 ----------- .../SCPs/Quarantine-New-Object.json | 30 ++++++++--------- ...mandatory-preventive-guardrails-Accel.json | 12 ++++--- .../config-pbmm-standalone-full.json | 2 -- .../config-pbmm-standalone-lite.json | 2 -- reference-artifacts/config.example.json | 2 -- 8 files changed, 55 insertions(+), 56 deletions(-) delete mode 100644 reference-artifacts/SCPs/Quarantine-Deny-All.json diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json index 6b0a1dceb..1c66bb0a5 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json @@ -60,6 +60,7 @@ "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:PutReplicationConfiguration", + "s3:PutBucketLogging", "s3:PutBucketPolicy", "s3:ReplicateDelete", "s3:PutObjectRetention", @@ -76,7 +77,7 @@ } }, { - "Sid": "ProtectCloudFormation", + "Sid": "DenyCFN", "Effect": "Deny", "Action": ["cloudformation:*"], "Resource": [ @@ -94,7 +95,7 @@ } }, { - "Sid": "DenyAlarmDeletion", + "Sid": "DenyAlarms", "Effect": "Deny", "Action": [ "cloudwatch:DeleteAlarms", @@ -120,7 +121,7 @@ } }, { - "Sid": "ProtectKeyRoles", + "Sid": "DenyKeyRoles", "Effect": "Deny", "Action": ["iam:*"], "Resource": [ @@ -194,7 +195,7 @@ "Resource": "*" }, { - "Sid": "DenyLambdaDel", + "Sid": "DenyLambda", "Effect": "Deny", "Action": [ "lambda:AddPermission", @@ -223,7 +224,7 @@ } }, { - "Sid": "BlockOther", + "Sid": "DenyOther", "Effect": "Deny", "Action": [ "aws-portal:ModifyAccount", diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json index aec4f82a2..7271e5190 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json @@ -24,13 +24,13 @@ "Sid": "DenyRoot", "Effect": "Deny", "NotAction": [ - "iam:CreateVirtualMFADevice", - "iam:EnableMFADevice", - "iam:GetUser", - "iam:ListMFADevices", - "iam:ListVirtualMFADevices", - "iam:ResyncMFADevice", - "sts:GetSessionToken" + "iam:CreateVirtualMFADevice", + "iam:EnableMFADevice", + "iam:GetUser", + "iam:ListMFADevices", + "iam:ListVirtualMFADevices", + "iam:ResyncMFADevice", + "sts:GetSessionToken" ], "Resource": "*", "Condition": { @@ -119,6 +119,8 @@ "guardduty:UpdateDetector", "guardduty:UpdateFindingsFeedback", "guardduty:UpdatePublishingDestination", + "guardduty:UpdateOrganizationConfiguration", + "guardduty:DisableOrganizationAdminAccount", "guardduty:CreateMembers", "guardduty:InviteMembers", "securityhub:AcceptInvitation", @@ -133,6 +135,23 @@ "securityhub:DisassociateMembers", "securityhub:DeleteActionTarget", "securityhub:BatchDisableStandards", + "securityhub:UpdateSecurityHubConfiguration", + "securityhub:UpdateStandardsControl", + "macie2:AcceptInvitation", + "macie2:CreateInvitations", + "macie2:CreateMember", + "macie2:DeclineInvitations", + "macie2:DeleteInvitations", + "macie2:DeleteMember", + "macie2:DisableMacie", + "macie2:DisableOrganizationAdminAccount", + "macie2:DisassociateFromMasterAccount", + "macie2:DisassociateMember", + "macie2:EnableMacie", + "macie2:EnableOrganizationAdminAccount", + "macie2:UpdateMacieSession", + "macie2:UpdateMemberSession", + "macie2:UpdateOrganizationConfiguration", "fms:DisassociateAdminAccount", "access-analyzer:DeleteAnalyzer", "account:EnableRegion", diff --git a/reference-artifacts/SCPs/Quarantine-Deny-All.json b/reference-artifacts/SCPs/Quarantine-Deny-All.json deleted file mode 100644 index 85a8e2853..000000000 --- a/reference-artifacts/SCPs/Quarantine-Deny-All.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyAllAWSServicesExceptBreakglassRoles", - "Effect": "Deny", - "Action": "*", - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - } - ] -} diff --git a/reference-artifacts/SCPs/Quarantine-New-Object.json b/reference-artifacts/SCPs/Quarantine-New-Object.json index cb2ff5bce..3900da49b 100644 --- a/reference-artifacts/SCPs/Quarantine-New-Object.json +++ b/reference-artifacts/SCPs/Quarantine-New-Object.json @@ -1,20 +1,20 @@ { "Version": "2012-10-17", "Statement": [ - { - "Sid": "DenyAllAWSServicesExceptBreakglassRoles", - "Effect": "Deny", - "Action": "*", - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/aws*", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } + { + "Sid": "DenyAllAWSServicesExceptBreakglassRoles", + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/aws*", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } } + } ] -} \ No newline at end of file +} diff --git a/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json b/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json index 8957abb99..3f999c513 100644 --- a/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json +++ b/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json @@ -15,7 +15,8 @@ "sns:Unsubscribe" ], "Resource":[ - "arn:aws:sns:*:*:AWS-Landing-Zone*" + "arn:aws:sns:*:*:AWS-Landing-Zone*", + "arn:aws:sns:*:*:PBMMAccel-*" ], "Effect":"Deny", "Sid":"GRSNSSUBSCRIPTIONPOLICY" @@ -36,7 +37,8 @@ "cloudtrail:UpdateTrail" ], "Resource":[ - "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" + "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*", + "arn:aws:cloudtrail:*:*:trail/PBMMAccel-*" ], "Effect":"Deny", "Sid":"GRCLOUDTRAILENABLED" @@ -58,7 +60,8 @@ "sns:SetTopicAttributes" ], "Resource":[ - "arn:aws:sns:*:*:AWS-Landing-Zone-*" + "arn:aws:sns:*:*:AWS-Landing-Zone-*", + "arn:aws:sns:*:*:PBMMAccel-*" ], "Effect":"Deny", "Sid":"GRSNSTOPICPOLICY" @@ -162,7 +165,8 @@ "events:DeleteRule" ], "Resource":[ - "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" + "arn:aws:events:*:*:rule/AWS-Landing-Zone-*", + "arn:aws:events:*:*:rule/PBMMAccel-*" ], "Effect":"Deny", "Sid":"GRCLOUDWATCHEVENTPOLICY" diff --git a/reference-artifacts/config-pbmm-standalone-full.json b/reference-artifacts/config-pbmm-standalone-full.json index eedae9601..f6d429d9a 100644 --- a/reference-artifacts/config-pbmm-standalone-full.json +++ b/reference-artifacts/config-pbmm-standalone-full.json @@ -1173,8 +1173,6 @@ }, "log-retention": 180, "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 } }, "iam": { diff --git a/reference-artifacts/config-pbmm-standalone-lite.json b/reference-artifacts/config-pbmm-standalone-lite.json index 4dea18b0c..7f2ea305e 100644 --- a/reference-artifacts/config-pbmm-standalone-lite.json +++ b/reference-artifacts/config-pbmm-standalone-lite.json @@ -1116,8 +1116,6 @@ }, "log-retention": 180, "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 } }, "iam": { diff --git a/reference-artifacts/config.example.json b/reference-artifacts/config.example.json index 95d0ee63a..b97212df0 100644 --- a/reference-artifacts/config.example.json +++ b/reference-artifacts/config.example.json @@ -1185,8 +1185,6 @@ }, "log-retention": 180, "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 } }, "iam": { From 6ecf401d6de8f3d97021e3146bc216f1eec0b575 Mon Sep 17 00:00:00 2001 From: Brian969 <56414362+Brian969@users.noreply.github.com> Date: Mon, 24 Aug 2020 07:49:37 -0400 Subject: [PATCH 2/2] typo --- reference-artifacts/config-pbmm-standalone-full.json | 1 - reference-artifacts/config-pbmm-standalone-lite.json | 1 - reference-artifacts/config.example.json | 1 - 3 files changed, 3 deletions(-) diff --git a/reference-artifacts/config-pbmm-standalone-full.json b/reference-artifacts/config-pbmm-standalone-full.json index f6d429d9a..039e9759f 100644 --- a/reference-artifacts/config-pbmm-standalone-full.json +++ b/reference-artifacts/config-pbmm-standalone-full.json @@ -1173,7 +1173,6 @@ }, "log-retention": 180, "limits": { - } }, "iam": { "users": [ diff --git a/reference-artifacts/config-pbmm-standalone-lite.json b/reference-artifacts/config-pbmm-standalone-lite.json index 7f2ea305e..c15885ddf 100644 --- a/reference-artifacts/config-pbmm-standalone-lite.json +++ b/reference-artifacts/config-pbmm-standalone-lite.json @@ -1116,7 +1116,6 @@ }, "log-retention": 180, "limits": { - } }, "iam": { "users": [ diff --git a/reference-artifacts/config.example.json b/reference-artifacts/config.example.json index b97212df0..9fb30ad4a 100644 --- a/reference-artifacts/config.example.json +++ b/reference-artifacts/config.example.json @@ -1185,7 +1185,6 @@ }, "log-retention": 180, "limits": { - } }, "iam": { "users": [