Minor cleanups (#50)

cloudposse · Apr 15, 2024 · 5bfeb94 · 5bfeb94
1 parent 4bce9de
commit 5bfeb94
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 9 deletions.
diff --git a/catalog/lambda-policies.yaml b/catalog/lambda-policies.yaml
@@ -4,9 +4,9 @@
     - "lambda:CreateFunction"
     - "lambda:UpdateFunctionConfiguration"
   condition:
-    - test: "Bool"
+    - test: "Null"
       variable: "lambda:VpcIds"
       values:
-        - false
+        - true
   resources:
     - "*"
diff --git a/catalog/rds-policies.yaml b/catalog/rds-policies.yaml
@@ -5,7 +5,7 @@
     - "rds:CreateDBInstance"
     - "rds:RestoreDBClusterFromS3"
     - "rds:RestoreDBInstanceFromS3"
-    - "rds:RestoreDBClusterFromDBSnapshot"
+    - "rds:RestoreDBClusterFromSnapshot"
     - "rds:RestoreDBClusterToPointInTime"
   condition:
     - test: "Bool"

diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml
@@ -6,11 +6,12 @@
   effect: "Deny"
   not_actions:
     - "a4b:*"
+    - "account:*"
     - "acm:*"
+    - "artifact:*"
     - "aws-marketplace-management:*"
     - "aws-marketplace:*"
     - "aws-portal:*"
-    - "awsbillingconsole:*"
     - "budgets:*"
     - "ce:*"
     - "chime:*"
@@ -39,6 +40,7 @@
     - "shield:*"
     - "sts:*"
     - "support:*"
+    - "supportplans:*"
     - "trustedadvisor:*"
     - "waf-regional:*"
     - "waf:*"

diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml
@@ -6,11 +6,12 @@
   effect: "Deny"
   not_actions:
     - "a4b:*"
+    - "account:*"
     - "acm:*"
+    - "artifact:*"
     - "aws-marketplace-management:*"
     - "aws-marketplace:*"
     - "aws-portal:*"
-    - "awsbillingconsole:*"
     - "budgets:*"
     - "ce:*"
     - "chime:*"
@@ -39,6 +40,7 @@
     - "shield:*"
     - "sts:*"
     - "support:*"
+    - "supportplans:*"
     - "trustedadvisor:*"
     - "waf-regional:*"
     - "waf:*"

diff --git a/catalog/s3-policies.yaml b/catalog/s3-policies.yaml
@@ -11,7 +11,6 @@
   effect: "Deny"
   actions:
     - "s3:PutBucketPublicAccessBlock"
-    - "s3:DeletePublicAccessBlock"
   resources:
     - "*"
 

diff --git a/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml b/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml
@@ -1,9 +1,10 @@
 # Requires parameter:
 #  - s3_regions_lockdown # Comma separated list of regions or region patterns in which to allow S3 bucket creation
 #
-# NOTE: "us-east-1" is the default region and cannot be specified explicitly.
-#       Therefore, this policy always excludes "us-east-1" from the list of allowed regions,
-#       because for us-east-1, s3:LocationConstraint is empty.
+# NOTE: "us-east-1" is the default region, and is indicated by `s3:LocationConstraint`
+#       being null. We allow "us-east-1" as a value because it is easier and does not
+#       hurt, but it is not effective. We have to test for the presence of the value
+#       (or lack thereof) to manage that region, which we do with a separate test.
 
 - sid: "DenyS3InNonSelectedRegion"
   effect: "Deny"
@@ -17,5 +18,14 @@
       %{ for r in split(",", s3_regions_lockdown) }
         - ${trimspace(r)}
       %{ endfor }
+    # Separate test for us-east-1, which is the default region
+    %{ if contains(split(",", s3_regions_lockdown), "us-east-1") }
+    - test: "Null"
+      variable: "s3:LocationConstraint"
+      # The regions where the creation of buckets will be allowed
+      values:
+        - false
+    %{ endif }
+
   resources:
     - "arn:aws:s3:::*"