├── data_perimeter_implementation_journey.png ├── CODE_OF_CONDUCT.md ├── LICENSE-SUMMARY ├── .github └── workflows │ ├── main.yml │ └── repo-sync.yml ├── service_control_policies ├── service_specific_controls │ ├── restrict_presignedURL_scp.json │ ├── restrict_resource_policy_configurations_scp.json │ ├── network_perimeter_lambda_scp.json │ ├── restrict_idp_configurations_scp.json │ ├── network_perimeter_glue_scp.json │ ├── network_perimeter_iam_users_scp.json │ ├── network_perimeter_ec2_scp.json │ ├── restrict_untrusted_endpoints_scp.json │ └── restrict_nonvpc_deployment_scp.json ├── network_perimeter_vpceorgid_scp.json ├── network_perimeter_sourcevpc_scp.json ├── resource_perimeter_scp.json └── data_perimeter_governance_scp.json ├── resource_control_policies ├── data_perimeter_governance_rcp.json ├── network_perimeter_vpceorgid_rcp.json ├── service_specific_controls │ ├── README.md │ ├── sns_topic_policy.json │ └── api_gateway_policy.json ├── network_perimeter_sourcevpc_rcp.json └── identity_perimeter_rcp.json ├── LICENSE-SAMPLECODE ├── vpc_endpoint_policies ├── default_endpoint_policy.json ├── iam_endpoint_policy.json ├── iot_endpoint_policy.json ├── ecr.api_endpoint_policy.json ├── lambda_endpoint_policy.json ├── cloudformation_endpoint_policy.json ├── imagebuilder_endpoint_policy.json ├── ec2_endpoint_policy.json ├── ssm_endpoint_policy.json ├── README.md └── s3_endpoint_policy.json ├── service_specific_guidance ├── sts-specific-guidance.md ├── lexv2-runtime-specific-guidance.md ├── cost-optimization-hub-specific-guidance.md ├── secretsmanager-specific-guidance.md ├── sqs-specific-guidance.md ├── textract-specific-guidance.md ├── amp-specific-guidance.md ├── grafana-specific-guidance.md ├── ssm-incidents-specific-guidance.md ├── accessanalyzer-specific-guidance.md ├── kinesis-specific-guidance.md ├── cloudwatch-specific-guidance.md ├── cloudfront-keyvaluestore-specific-guidance.md ├── artifact-specific-guidance.md ├── README.md ├── eks-specific-guidance.md ├── kafka-specific-guidance.md ├── acm-specific-guidance.md ├── acm-pca-specific-guidance.md ├── schemas-specific-guidance.md ├── backup-specific-guidance.md ├── glacier-specific-guidance.md ├── route53-specific-guidance.md ├── kms-specific-guidance.md ├── emr-serverless-specific-guidance.md ├── ssm-contacts-specific-guidance.md ├── docdb-specific-guidance.md ├── sesv2-specific-guidance.md ├── stepfunctions-specific-guidance.md ├── apprunner-specific-guidance.md ├── codeartifact-specific-guidance.md ├── appsync-specific-guidance.md └── dynamodb-specific-guidance.md └── CONTRIBUTING.md /data_perimeter_implementation_journey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/data-perimeter-policy-examples/HEAD/data_perimeter_implementation_journey.png -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /LICENSE-SUMMARY: -------------------------------------------------------------------------------- 1 | Copyright ${THIS_YEAR} Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file. 4 | 5 | The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file. 6 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Issue or PR notifier 2 | on: 3 | issues: 4 | types: [opened] 5 | pull_request: 6 | types: [opened] 7 | jobs: 8 | run: 9 | name: Notify IS team of github activity 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Draft with these release notes details 13 | uses: slackapi/slack-github-action@v2.0.0 14 | with: 15 | webhook: ${{ secrets.SLACK_WEBHOOK_URL }} 16 | webhook-type: webhook-trigger 17 | payload: | 18 | { 19 | "text": "A new \"${{ github.event_name }}\" has been opened on https://github.com/${{ github.repository }} . Please acknowledge the customer ASAP and :cowboy-ack: this request." 20 | } 21 | -------------------------------------------------------------------------------- /.github/workflows/repo-sync.yml: -------------------------------------------------------------------------------- 1 | name: Repo Sync 2 | 3 | on: 4 | workflow_dispatch: 5 | 6 | jobs: 7 | repo-sync: 8 | name: Repo Sync 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v3 12 | - uses: repo-sync/github-sync@v2 13 | name: Sync repo to branch 14 | with: 15 | source_repo: ${{ secrets.SOURCE_REPO }} 16 | source_branch: main 17 | destination_branch: ${{ secrets.INTERMEDIATE_BRANCH }} 18 | github_token: ${{ secrets.REPO_SYNC }} 19 | - uses: repo-sync/pull-request@v2 20 | name: Create pull request 21 | with: 22 | source_branch: ${{ secrets.INTERMEDIATE_BRANCH }} 23 | destination_branch: main 24 | github_token: ${{ secrets.REPO_SYNC }} 25 | -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/restrict_presignedURL_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventCreationOfServicePresignedURL", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "ecr:GetDownloadUrlForLayer", 9 | "lambda:GetFunction", 10 | "ssm:GetDeployablePatchSnapshotForInstance", 11 | "lex:CreateUploadUrl", 12 | "lex:DescribeExport", 13 | "serverlessrepo:CreateCloudFormationTemplate", 14 | "serverlessrepo:GetApplication", 15 | "serverlessrepo:GetCloudFormationTemplate" 16 | ], 17 | "Resource": "*", 18 | "Condition": { 19 | "StringNotEqualsIfExists": { 20 | "aws:PrincipalTag/dp:exclude:network": "true" 21 | } 22 | } 23 | } 24 | ] 25 | } 26 | -------------------------------------------------------------------------------- /resource_control_policies/data_perimeter_governance_rcp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "ProtectDataPerimeterSessionTags", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": [ 9 | "sts:TagSession" 10 | ], 11 | "Resource": "*", 12 | "Condition": { 13 | "Null": { 14 | "SAML:aud": "true" 15 | }, 16 | "StringNotEqualsIfExists": { 17 | "aws:PrincipalTag/team": "admin", 18 | "aws:PrincipalOrgID" : "" 19 | }, 20 | "ForAnyValue:StringLike": { 21 | "aws:TagKeys": [ 22 | "dp:*", 23 | "team" 24 | ] 25 | } 26 | } 27 | } 28 | ] 29 | } -------------------------------------------------------------------------------- /LICENSE-SAMPLECODE: -------------------------------------------------------------------------------- 1 | Copyright ${THIS_YEAR} Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this 4 | software and associated documentation files (the "Software"), to deal in the Software 5 | without restriction, including without limitation the rights to use, copy, modify, 6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 7 | permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventResourcePolicyConfigurations", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "codeartifact:PutRepositoryPermissionsPolicy", 9 | "codeartifact:PutDomainPermissionsPolicy", 10 | "codebuild:PutResourcePolicy", 11 | "dynamodb:PutResourcePolicy", 12 | "events:PutPermission", 13 | "glacier:SetVaultAccessPolicy", 14 | "lambda:AddLayerVersionPermission", 15 | "lambda:AddPermission", 16 | "logs:PutResourcePolicy", 17 | "logs:PutDestinationPolicy", 18 | "sns:AddPermission", 19 | "lex:CreateResourcePolicy", 20 | "lex:UpdateResourcePolicy", 21 | "schemas:PutResourcePolicy", 22 | "serverlessrepo:PutApplicationPolicy" 23 | ], 24 | "Resource": "*", 25 | "Condition": { 26 | "StringNotEqualsIfExists": { 27 | "aws:PrincipalTag/dp:exclude:identity": "true" 28 | } 29 | } 30 | } 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/network_perimeter_lambda_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceNetworkPerimeterOnLambdaRoles", 6 | "Effect":"Deny", 7 | "NotAction":[ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "logs:CreateLogGroup", 19 | "logs:CreateLogStream", 20 | "logs:PutLogEvents", 21 | "elasticfilesystem:ClientMount", 22 | "xray:PutTraceSegments" 23 | ], 24 | "Resource":"*", 25 | "Condition":{ 26 | "BoolIfExists":{ 27 | "aws:ViaAWSService":"false" 28 | }, 29 | "NotIpAddressIfExists":{ 30 | "aws:SourceIp":[ 31 | "" 32 | ] 33 | }, 34 | "StringNotEqualsIfExists":{ 35 | "aws:PrincipalTag/dp:exclude:network":"true", 36 | "aws:VpceOrgID":"" 37 | }, 38 | "Null":{ 39 | "lambda:SourceFunctionArn":"false" 40 | } 41 | } 42 | } 43 | ] 44 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/default_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": "*", 35 | "Condition": { 36 | "StringEquals": { 37 | "aws:PrincipalOrgID": "", 38 | "aws:PrincipalTag/dp:exclude:resource": "true" 39 | } 40 | } 41 | } 42 | ] 43 | } -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventIdPTrustModifications", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "iam:CreateOpenIDConnectProvider", 9 | "iam:DeleteOpenIDConnectProvider", 10 | "iam:AddClientIDToOpenIDConnectProvider", 11 | "iam:RemoveClientIDFromOpenIDConnectProvider", 12 | "iam:TagOpenIDConnectProvider", 13 | "iam:UntagOpenIDConnectProvider", 14 | "iam:UpdateOpenIDConnectProviderThumbprint", 15 | "iam:CreateSAMLProvider", 16 | "iam:DeleteSAMLProvider", 17 | "iam:TagSAMLProvider", 18 | "iam:UntagSAMLProvider", 19 | "iam:UpdateSAMLProvider", 20 | "rolesanywhere:CreateTrustAnchor", 21 | "rolesanywhere:DeleteTrustAnchor", 22 | "rolesanywhere:EnableTrustAnchor", 23 | "rolesanywhere:DisableTrustAnchor", 24 | "rolesanywhere:UpdateTrustAnchor", 25 | "rolesanywhere:EnableCrl", 26 | "rolesanywhere:DeleteCrl", 27 | "rolesanywhere:DisableCrl", 28 | "rolesanywhere:ImportCrl", 29 | "rolesanywhere:UpdateCrl", 30 | "rolesanywhere:TagResource", 31 | "rolesanywhere:UntagResource", 32 | "sso:CreateInstance" 33 | ], 34 | "Resource": "*", 35 | "Condition": { 36 | "StringNotEqualsIfExists": { 37 | "aws:PrincipalTag/dp:exclude:identity": "true" 38 | } 39 | } 40 | } 41 | ] 42 | } 43 | -------------------------------------------------------------------------------- /resource_control_policies/network_perimeter_vpceorgid_rcp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceNetworkPerimeterVpceOrgID", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": [ 9 | "s3:*", 10 | "kms:*" 11 | ], 12 | "Resource": "*", 13 | "Condition": { 14 | "NotIpAddressIfExists": { 15 | "aws:SourceIp": "" 16 | }, 17 | "StringNotEqualsIfExists": { 18 | "aws:VpceOrgID": "", 19 | "aws:PrincipalTag/dp:exclude:network": "true", 20 | "aws:PrincipalAccount": [ 21 | "", 22 | "" 23 | ], 24 | "aws:VpceAccount": [ 25 | "", 26 | "" 27 | ], 28 | "aws:ResourceTag/dp:exclude:network": "true" 29 | }, 30 | "BoolIfExists": { 31 | "aws:PrincipalIsAWSService": "false", 32 | "aws:ViaAWSService": "false" 33 | }, 34 | "ArnNotLikeIfExists": { 35 | "aws:PrincipalArn": [ 36 | "arn:aws:iam::*:role/aws:ec2-infrastructure" 37 | ] 38 | }, 39 | "StringEquals": { 40 | "aws:PrincipalTag/dp:include:network": "true" 41 | } 42 | } 43 | } 44 | ] 45 | } -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/network_perimeter_glue_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceNetworkPerimeterOnGlueRoles", 6 | "Effect":"Deny", 7 | "NotAction":[ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "logs:CreateLogGroup", 19 | "logs:CreateLogStream", 20 | "logs:PutLogEvents" 21 | ], 22 | "Resource":"*", 23 | "Condition":{ 24 | "BoolIfExists":{ 25 | "aws:ViaAWSService":"false" 26 | }, 27 | "NotIpAddressIfExists":{ 28 | "aws:SourceIp":[ 29 | "" 30 | ] 31 | }, 32 | "StringNotEqualsIfExists":{ 33 | "aws:PrincipalTag/dp:exclude:network":"true", 34 | "aws:SourceVpc":[ 35 | "" 36 | ] 37 | }, 38 | "Null":{ 39 | "glue:CredentialIssuingService":"false" 40 | } 41 | } 42 | }, 43 | { 44 | "Sid":"SourceVPCRegion", 45 | "Effect":"Deny", 46 | "Action":"*", 47 | "Resource":"*", 48 | "Condition":{ 49 | "StringEquals":{ 50 | "aws:SourceVpc":"" 51 | }, 52 | "StringNotEqualsIfExists":{ 53 | "aws:RequestedRegion":"" 54 | } 55 | } 56 | } 57 | ] 58 | } -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/network_perimeter_iam_users_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceNetworkPerimeterOnIAMUsers", 6 | "Effect":"Deny", 7 | "NotAction":[ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "neptune-db:*", 19 | "kafka-cluster:*", 20 | "elasticfilesystem:client*", 21 | "rds-db:connect" 22 | ], 23 | "Resource":"*", 24 | "Condition":{ 25 | "BoolIfExists":{ 26 | "aws:ViaAWSService":"false" 27 | }, 28 | "NotIpAddressIfExists":{ 29 | "aws:SourceIp":[ 30 | "" 31 | ] 32 | }, 33 | "StringNotEqualsIfExists":{ 34 | "aws:SourceVpc":[ 35 | "" 36 | ] 37 | }, 38 | "ArnLike":{ 39 | "aws:PrincipalArn":[ 40 | "arn:aws:iam::*:user/*" 41 | ] 42 | } 43 | } 44 | }, 45 | { 46 | "Sid":"SourceVPCRegion", 47 | "Effect":"Deny", 48 | "Action":"*", 49 | "Resource":"*", 50 | "Condition":{ 51 | "StringEquals":{ 52 | "aws:SourceVpc":"" 53 | }, 54 | "StringNotEqualsIfExists":{ 55 | "aws:RequestedRegion":"" 56 | } 57 | } 58 | } 59 | ] 60 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/iam_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": [ 35 | "arn:aws:iam::aws:policy/*" 36 | ], 37 | "Condition": { 38 | "StringEquals": { 39 | "aws:PrincipalOrgID": "" 40 | } 41 | } 42 | }, 43 | { 44 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "*", 48 | "Resource": "*", 49 | "Condition": { 50 | "StringEquals": { 51 | "aws:PrincipalOrgID": "", 52 | "aws:PrincipalTag/dp:exclude:resource": "true" 53 | } 54 | } 55 | } 56 | ] 57 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/iot_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": [ 35 | "arn:aws:iot:*::jobtemplate/*" 36 | ], 37 | "Condition": { 38 | "StringEquals": { 39 | "aws:PrincipalOrgID": "" 40 | } 41 | } 42 | }, 43 | { 44 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "*", 48 | "Resource": "*", 49 | "Condition": { 50 | "StringEquals": { 51 | "aws:PrincipalOrgID": "", 52 | "aws:PrincipalTag/dp:exclude:resource": "true" 53 | } 54 | } 55 | } 56 | ] 57 | } -------------------------------------------------------------------------------- /service_specific_guidance/sts-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: AWS Security Token Service 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for AWS Security Token Service (AWS STS). 5 | 6 | 7 | AWS STS is a web service that enables you to request temporary, limited-privilege credentials for users. These temporary security credentials can be used to access AWS services and resources securely. STS is useful for scenarios that require temporary access, such as identity federation, cross-account access, and applications running on EC2 instances that need to access AWS resources. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | **List of service APIs reviewed against data perimeter control objectives** 25 | * AssumeRole 26 | * GetAccessKeyInfo 27 | * GetCallerIdentity 28 | -------------------------------------------------------------------------------- /vpc_endpoint_policies/ecr.api_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": "*", 35 | "Condition": { 36 | "StringEquals": { 37 | "aws:ResourceAccount": "", 38 | "aws:PrincipalOrgID": "" 39 | } 40 | } 41 | }, 42 | { 43 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 44 | "Effect": "Allow", 45 | "Principal": "*", 46 | "Action": "*", 47 | "Resource": "*", 48 | "Condition": { 49 | "StringEquals": { 50 | "aws:PrincipalOrgID": "", 51 | "aws:PrincipalTag/dp:exclude:resource": "true" 52 | } 53 | } 54 | } 55 | ] 56 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/lambda_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": [ 35 | "arn:aws:lambda:*::layer:*" 36 | ], 37 | "Condition": { 38 | "StringEquals": { 39 | "aws:PrincipalOrgID": "" 40 | } 41 | } 42 | }, 43 | { 44 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "*", 48 | "Resource": "*", 49 | "Condition": { 50 | "StringEquals": { 51 | "aws:PrincipalOrgID": "", 52 | "aws:PrincipalTag/dp:exclude:resource": "true" 53 | } 54 | } 55 | } 56 | ] 57 | } -------------------------------------------------------------------------------- /service_specific_guidance/lexv2-runtime-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: Amazon Lex V2 Runtime Service 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Lex V2 Runtime Service. 5 | 6 | 7 | Amazon Lex V2 Runtime Service is a fully managed artificial intelligence (AI) service that enables you to build conversational interfaces into applications using voice and text. It provides the runtime API for Amazon Lex V2, allowing developers to integrate natural language processing capabilities into their applications, chatbots, and interactive voice response systems. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **List of service APIs reviewed against data perimeter control objectives** 27 | * DeleteSession 28 | * GetSession 29 | * PutSession 30 | * RecognizeText 31 | * RecognizeUtterance 32 | -------------------------------------------------------------------------------- /vpc_endpoint_policies/cloudformation_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": [ 34 | "cloudformation:CreateChangeSet" 35 | ], 36 | "Resource": [ 37 | "arn:aws:cloudformation::aws:transform/*" 38 | ], 39 | "Condition": { 40 | "StringEquals": { 41 | "aws:PrincipalOrgID": "" 42 | } 43 | } 44 | }, 45 | { 46 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 47 | "Effect": "Allow", 48 | "Principal": "*", 49 | "Action": "*", 50 | "Resource": "*", 51 | "Condition": { 52 | "StringEquals": { 53 | "aws:PrincipalOrgID": "", 54 | "aws:PrincipalTag/dp:exclude:resource": "true" 55 | } 56 | } 57 | } 58 | ] 59 | } -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/network_perimeter_ec2_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceNetworkPerimeterOnEC2Roles", 6 | "Effect":"Deny", 7 | "NotAction":[ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "neptune-db:*", 19 | "kafka-cluster:*", 20 | "elasticfilesystem:client*", 21 | "rds-db:connect" 22 | ], 23 | "Resource":"*", 24 | "Condition":{ 25 | "BoolIfExists":{ 26 | "aws:ViaAWSService":"false" 27 | }, 28 | "NotIpAddressIfExists":{ 29 | "aws:SourceIp":[ 30 | "" 31 | ] 32 | }, 33 | "StringNotEqualsIfExists":{ 34 | "aws:PrincipalTag/dp:exclude:network":"true", 35 | "aws:SourceVpc":[ 36 | "" 37 | ] 38 | }, 39 | "ArnNotLikeIfExists":{ 40 | "aws:PrincipalArn":[ 41 | "arn:aws:iam::*:role/aws:ec2-infrastructure" 42 | ] 43 | }, 44 | "Null":{ 45 | "ec2:SourceInstanceARN":"false" 46 | } 47 | } 48 | }, 49 | { 50 | "Sid":"SourceVPCRegion", 51 | "Effect":"Deny", 52 | "Action":"*", 53 | "Resource":"*", 54 | "Condition":{ 55 | "StringEquals":{ 56 | "aws:SourceVpc":"" 57 | }, 58 | "StringNotEqualsIfExists":{ 59 | "aws:RequestedRegion":"" 60 | } 61 | } 62 | } 63 | ] 64 | } -------------------------------------------------------------------------------- /service_specific_guidance/cost-optimization-hub-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: AWS Cost Optimization Hub 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for AWS Cost Optimization Hub. 5 | 6 | 7 | AWS Cost Optimization Hub is a centralized service that helps customers identify and implement cost-saving opportunities across their AWS environments. It provides recommendations, insights, and tools to optimize resource usage, reduce waste, and improve overall cost efficiency. The service analyzes your AWS usage patterns and suggests actionable steps to lower your AWS bill while maintaining performance and reliability. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **List of service APIs reviewed against data perimeter control objectives** 27 | * GetPreferences 28 | * GetRecommendation 29 | * ListEnrollmentStatuses 30 | * ListRecommendations 31 | * ListRecommendationSummaries 32 | * UpdateEnrollmentStatus 33 | * UpdatePreferences 34 | -------------------------------------------------------------------------------- /vpc_endpoint_policies/imagebuilder_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": [ 34 | "imagebuilder:GetComponent", 35 | "imagebuilder:GetImage" 36 | ], 37 | "Resource": [ 38 | "arn:aws:imagebuilder::aws:component/*", 39 | "arn:aws:imagebuilder::aws:image/*" 40 | ], 41 | "Condition": { 42 | "StringEquals": { 43 | "aws:PrincipalOrgID": "" 44 | } 45 | } 46 | }, 47 | { 48 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 49 | "Effect": "Allow", 50 | "Principal": "*", 51 | "Action": "*", 52 | "Resource": "*", 53 | "Condition": { 54 | "StringEquals": { 55 | "aws:PrincipalOrgID": "", 56 | "aws:PrincipalTag/dp:exclude:resource": "true" 57 | } 58 | } 59 | } 60 | ] 61 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/ec2_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": [ 34 | "ec2:RunInstances", 35 | "ec2:CreateReplaceRootVolumeTask", 36 | "ec2:CreateTags", 37 | "ec2:DeleteTags", 38 | "ec2:GetManagedPrefixListEntries" 39 | ], 40 | "Resource": [ 41 | "arn:aws:ec2:*::image/*", 42 | "arn:aws:ec2:*:aws:prefix-list/*" 43 | ], 44 | "Condition": { 45 | "StringEquals": { 46 | "aws:PrincipalOrgID": "" 47 | } 48 | } 49 | }, 50 | { 51 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 52 | "Effect": "Allow", 53 | "Principal": "*", 54 | "Action": "*", 55 | "Resource": "*", 56 | "Condition": { 57 | "StringEquals": { 58 | "aws:PrincipalOrgID": "", 59 | "aws:PrincipalTag/dp:exclude:resource": "true" 60 | } 61 | } 62 | } 63 | ] 64 | } -------------------------------------------------------------------------------- /service_control_policies/network_perimeter_vpceorgid_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceNetworkPerimeterVpceOrgID", 6 | "Effect":"Deny", 7 | "Action":[ 8 | "acm-pca:*", 9 | "applicationinsights:*", 10 | "apprunner:*", 11 | "athena:*", 12 | "cloudformation:*", 13 | "comprehendmedical:*", 14 | "compute-optimizer:*", 15 | "datasync:*", 16 | "discovery:*", 17 | "ebs:*", 18 | "firehose:*", 19 | "healthlake:*", 20 | "iotfleetwise:*", 21 | "iotwireless:*", 22 | "kms:*", 23 | "lambda:*", 24 | "medical-imaging:*", 25 | "omics:*", 26 | "payment-cryptography:*", 27 | "polly:*", 28 | "rbin:*", 29 | "rekognition:*", 30 | "s3:*", 31 | "scheduler:*", 32 | "servicediscovery:*", 33 | "servicequotas:*", 34 | "ssm-contacts:*", 35 | "storagegateway:*", 36 | "textract:*", 37 | "transcribe:*", 38 | "transfer:*" 39 | ], 40 | "Resource":"*", 41 | "Condition":{ 42 | "BoolIfExists":{ 43 | "aws:ViaAWSService":"false" 44 | }, 45 | "NotIpAddressIfExists":{ 46 | "aws:SourceIp":[ 47 | "" 48 | ] 49 | }, 50 | "StringNotEqualsIfExists":{ 51 | "aws:PrincipalTag/dp:exclude:network":"true", 52 | "aws:VpceOrgID":"", 53 | "aws:VpceAccount":[ 54 | "", 55 | "" 56 | ] 57 | }, 58 | "ArnNotLikeIfExists":{ 59 | "aws:PrincipalArn":[ 60 | "arn:aws:iam::*:role/aws:ec2-infrastructure" 61 | ] 62 | }, 63 | "StringEquals":{ 64 | "aws:PrincipalTag/dp:include:network":"true" 65 | } 66 | } 67 | } 68 | ] 69 | } -------------------------------------------------------------------------------- /service_specific_guidance/secretsmanager-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS Secrets Manager 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS Secrets Manager. 6 | 7 | AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Secrets Manager allows you to replace hardcoded credentials in your code with an API call to Secrets Manager to retrieve the secret programmatically. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | **List of service APIs reviewed against data perimeter control objectives** 26 | 27 | * BatchGetSecretValue 28 | * CancelRotateSecret 29 | * CreateSecret 30 | * DeleteResourcePolicy 31 | * DeleteSecret 32 | * DescribeSecret 33 | * GetRandomPassword 34 | * GetResourcePolicy 35 | * GetSecretValue 36 | * ListSecretVersionIds 37 | * ListSecrets 38 | * PutResourcePolicy 39 | * PutSecretValue 40 | * RemoveRegionsFromReplication 41 | * ReplicateSecretToRegions 42 | * RestoreSecret 43 | * RotateSecret 44 | * TagResource 45 | * UntagResource 46 | * UpdateSecret 47 | * ValidateResourcePolicy 48 | -------------------------------------------------------------------------------- /vpc_endpoint_policies/ssm_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Principal": "*", 32 | "Action": [ 33 | "ssm:Describe*", 34 | "ssm:List*", 35 | "ssm:Get*", 36 | "ssm:SendCommand", 37 | "ssm:CreateAssociation", 38 | "ssm:StartSession", 39 | "ssm:StartChangeRequestExecution", 40 | "ssm:StartAutomationExecution" 41 | ], 42 | "Effect": "Allow", 43 | "Resource": [ 44 | "arn:aws:ssm:::parameter/aws/*", 45 | "arn:aws:ssm:::document/*", 46 | "arn:aws:ssm:*::automation-definition/*" 47 | ], 48 | "Condition": { 49 | "StringEquals": { 50 | "aws:PrincipalOrgID": "" 51 | } 52 | } 53 | }, 54 | { 55 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 56 | "Effect": "Allow", 57 | "Principal": "*", 58 | "Action": "*", 59 | "Resource": "*", 60 | "Condition": { 61 | "StringEquals": { 62 | "aws:PrincipalOrgID": "", 63 | "aws:PrincipalTag/dp:exclude:resource": "true" 64 | } 65 | } 66 | } 67 | ] 68 | } -------------------------------------------------------------------------------- /service_specific_guidance/sqs-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: Amazon Simple Queue Service 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Simple Queue Service (SQS). 6 | 7 | Amazon SQS is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS offers two types of message queues: standard queues for maximum throughput and at-least-once delivery, and FIFO queues for exactly-once processing and strict message ordering. It allows you to send, store, and receive messages between software components without losing messages or requiring other services to be available. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | **List of service APIs reviewed against data perimeter control objectives** 26 | 27 | * AddPermission 28 | * ChangeMessageVisibility 29 | * ChangeMessageVisibilityBatch 30 | * CreateQueue 31 | * DeleteMessage 32 | * DeleteMessageBatch 33 | * DeleteQueue 34 | * GetQueueAttributes 35 | * GetQueueUrl 36 | * ListDeadLetterSourceQueues 37 | * ListMessageMoveTasks 38 | * ListQueueTags 39 | * ListQueues 40 | * PurgeQueue 41 | * ReceiveMessage 42 | * RemovePermission 43 | * SendMessage 44 | * SendMessageBatch 45 | * SetQueueAttributes 46 | * StartMessageMoveTask 47 | * TagQueue 48 | * UntagQueue 49 | -------------------------------------------------------------------------------- /service_specific_guidance/textract-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: Amazon Textract 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Textract. 6 | 7 | Amazon Textract is a machine learning service that automatically extracts text, handwriting, and data from scanned documents. It goes beyond simple optical character recognition (OCR) to identify, understand, and extract data from forms and tables. Textract enables you to quickly automate document processing workflows, making it easier to process applications, claims, and other structured documents. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | **List of service APIs reviewed against data perimeter control objectives** 26 | 27 | * AnalyzeDocument 28 | * AnalyzeExpense 29 | * AnalyzeID 30 | * CreateAdapter 31 | * CreateAdapterVersion 32 | * DeleteAdapter 33 | * DeleteAdapterVersion 34 | * DetectDocumentText 35 | * GetAdapter 36 | * GetAdapterVersion 37 | * GetDocumentAnalysis 38 | * GetDocumentTextDetection 39 | * GetExpenseAnalysis 40 | * GetLendingAnalysis 41 | * GetLendingAnalysisSummary 42 | * ListAdapterVersions 43 | * ListAdapters 44 | * ListTagsForResource 45 | * StartDocumentAnalysis 46 | * StartDocumentTextDetection 47 | * StartExpenseAnalysis 48 | * StartLendingAnalysis 49 | * TagResource 50 | * UntagResource 51 | * UpdateAdapter 52 | -------------------------------------------------------------------------------- /service_control_policies/network_perimeter_sourcevpc_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceNetworkPerimeterSourceVPC", 6 | "Effect":"Deny", 7 | "NotAction":[ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "neptune-db:*", 19 | "kafka-cluster:*", 20 | "elasticfilesystem:client*", 21 | "rds-db:connect", 22 | "s3-outposts:*" 23 | ], 24 | "Resource":"*", 25 | "Condition":{ 26 | "BoolIfExists":{ 27 | "aws:ViaAWSService":"false" 28 | }, 29 | "NotIpAddressIfExists":{ 30 | "aws:SourceIp":[ 31 | "" 32 | ] 33 | }, 34 | "StringNotEqualsIfExists":{ 35 | "aws:PrincipalTag/dp:exclude:network":"true", 36 | "aws:SourceVpc":[ 37 | "" 38 | ] 39 | }, 40 | "ArnNotLikeIfExists":{ 41 | "aws:PrincipalArn":[ 42 | "arn:aws:iam::*:role/aws:ec2-infrastructure" 43 | ] 44 | }, 45 | "StringEquals":{ 46 | "aws:PrincipalTag/dp:include:network":"true" 47 | } 48 | } 49 | }, 50 | { 51 | "Sid":"SourceVPCRegion", 52 | "Effect":"Deny", 53 | "Action":"*", 54 | "Resource":"*", 55 | "Condition":{ 56 | "StringEquals":{ 57 | "aws:SourceVpc":"" 58 | }, 59 | "StringNotEqualsIfExists":{ 60 | "aws:RequestedRegion":"" 61 | } 62 | } 63 | }, 64 | { 65 | "Sid":"SourceVPCRegion2", 66 | "Effect":"Deny", 67 | "Action":"*", 68 | "Resource":"*", 69 | "Condition":{ 70 | "StringEquals":{ 71 | "aws:SourceVpc":"" 72 | }, 73 | "StringNotEqualsIfExists":{ 74 | "aws:RequestedRegion":"" 75 | } 76 | } 77 | } 78 | ] 79 | } -------------------------------------------------------------------------------- /service_specific_guidance/amp-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: Amazon Managed Service for Prometheus 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Managed Service for Prometheus. 6 | 7 | Amazon Managed Service for Prometheus is a fully managed monitoring service that makes it easy to monitor containerized applications and infrastructure at scale. It provides a highly available, secure, and managed environment for Prometheus, an open-source monitoring and alerting tool, allowing users to collect, store, and analyze metrics from their applications and infrastructure without the need to manage the underlying infrastructure. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | **List of service APIs reviewed against data perimeter control objectives** 24 | 25 | * CreateLoggingConfiguration 26 | * CreateRuleGroupsNamespace 27 | * CreateScraper 28 | * CreateWorkspace 29 | * DeleteLoggingConfiguration 30 | * DeleteRuleGroupsNamespace 31 | * DeleteScraper 32 | * DeleteWorkspace 33 | * DescribeLoggingConfiguration 34 | * DescribeRuleGroupsNamespace 35 | * DescribeScraper 36 | * DescribeWorkspace 37 | * GetDefaultScraperConfiguration 38 | * ListRuleGroupsNamespaces 39 | * ListScrapers 40 | * ListTagsForResource 41 | * ListWorkspaces 42 | * PutRuleGroupsNamespace 43 | * TagResource 44 | * UntagResource 45 | * UpdateLoggingConfiguration 46 | * UpdateWorkspaceAlias 47 | -------------------------------------------------------------------------------- /service_specific_guidance/grafana-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: Amazon Managed Grafana 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Managed Grafana. 6 | 7 | Amazon Managed Grafana is a fully managed service that makes it easy to deploy, operate, and scale Grafana, an open-source analytics and monitoring platform. It allows users to create, explore, and share observability dashboards to visualize and analyze metrics, logs, and traces from various data sources across their applications and infrastructure. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | **List of service APIs reviewed against data perimeter control objectives** 26 | 27 | * CreateWorkspace 28 | * CreateWorkspaceApiKey 29 | * CreateWorkspaceServiceAccount 30 | * CreateWorkspaceServiceAccountToken 31 | * DeleteWorkspace 32 | * DeleteWorkspaceApiKey 33 | * DeleteWorkspaceServiceAccount 34 | * DeleteWorkspaceServiceAccountToken 35 | * DescribeWorkspace 36 | * DescribeWorkspaceAuthentication 37 | * DescribeWorkspaceConfiguration 38 | * DisassociateLicense 39 | * ListPermissions 40 | * ListTagsForResource 41 | * ListVersions 42 | * ListWorkspaceServiceAccountTokens 43 | * ListWorkspaceServiceAccounts 44 | * ListWorkspaces 45 | * TagResource 46 | * UntagResource 47 | * UpdatePermissions 48 | * UpdateWorkspace 49 | * UpdateWorkspaceAuthentication 50 | * UpdateWorkspaceConfiguration 51 | -------------------------------------------------------------------------------- /service_specific_guidance/ssm-incidents-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: AWS Systems Manager Incident Manager 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for AWS Systems Manager Incident Manager. 5 | 6 | 7 | AWS Systems Manager Incident Manager is a service that helps you manage, respond to, and resolve operational incidents in your AWS environment. It provides automated incident response, collaboration tools, and post-incident analysis capabilities to help teams quickly mitigate and learn from operational issues, reducing mean time to resolution (MTTR) and improving overall system reliability. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **List of service APIs reviewed against data perimeter control objectives** 27 | * CreateResponsePlan 28 | * CreateTimelineEvent 29 | * DeleteIncidentRecord 30 | * DeleteResourcePolicy 31 | * DeleteResponsePlan 32 | * DeleteTimelineEvent 33 | * GetIncidentRecord 34 | * GetReplicationSet 35 | * GetResourcePolicies 36 | * GetResponsePlan 37 | * GetTimelineEvent 38 | * ListIncidentFindings 39 | * ListIncidentRecords 40 | * ListRelatedItems 41 | * ListReplicationSets 42 | * ListResponsePlans 43 | * ListTagsForResource 44 | * ListTimelineEvents 45 | * PutResourcePolicy 46 | * StartIncident 47 | * TagResource 48 | * UntagResource 49 | * UpdateDeletionProtection 50 | * UpdateIncidentRecord 51 | * UpdateRelatedItems 52 | * UpdateResponsePlan 53 | * UpdateTimelineEvent 54 | -------------------------------------------------------------------------------- /resource_control_policies/service_specific_controls/README.md: -------------------------------------------------------------------------------- 1 | # Examples of service-specific controls 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Description 6 | 7 | This folder contains examples of resource-based policies that enforce identity and network perimeter controls for services that are currently not supported by resource control policies (RCPs): 8 | 9 | * [api_gateway_policy](api_gateway_policy.json) - Enforces identity and network perimeter controls on [Amazon API Gateway](https://aws.amazon.com/api-gateway/) resources. 10 | * [sns_topic_policy](sns_topic_policy.json) - Enforces identity and network perimeter controls on [Amazon Simple Notification Service (Amazon SNS)](https://aws.amazon.com/sns/) resources. 11 | 12 | Because developers will be creating resources such as Amazon SNS topics on a regular basis, you might need to implement automation to enforce identity and network perimeter controls when those resources are created or their policies are changed. One option is to use custom [AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html)_._ Alternatively, you can choose to enforce resource deployment through [AWS Service Catalog](https://aws.amazon.com/servicecatalog/?aws-service-catalog.sort-by=item.additionalFields.createdDate&aws-service-catalog.sort-order=desc) or a CI/CD pipeline. With the AWS Service Catalog approach, you can have identity and network perimeter controls built into the centrally controlled products that are made available to developers to deploy within their accounts. With the CI/CD pipeline approach, the pipeline can have built-in compliance checks that enforce identity and network perimeter controls during the deployment. If you are deploying resources with your CI/CD pipeline by using [AWS CloudFormation](https://aws.amazon.com/cloudformation/), see the blog post [Proactively keep resources secure and compliant with AWS CloudFormation Hooks](https://aws.amazon.com/blogs/mt/proactively-keep-resources-secure-and-compliant-with-aws-cloudformation-hooks/). 13 | 14 | Note that the policy examples in this folder do not represent a complete list of valid data access patterns, and they are intended for you to tailor and extend them to suit the needs of your environment. Additionally, these examples do not grant any permissions; they only restrict access by explicitly denying specific data access patterns. You still have to grant appropriate permissions with explicit `Allow` statements in identity-based or resource-based policies. -------------------------------------------------------------------------------- /service_specific_guidance/accessanalyzer-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS Identity and Access Management Access Analyzer 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS Identity and Access Management Access Analyzer. 6 | 7 | IAM Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | **List of service APIs reviewed against data perimeter control objectives** 26 | 27 | * ApplyArchiveRule 28 | * CancelPolicyGeneration 29 | * CheckAccessNotGranted 30 | * CheckNoNewAccess 31 | * CheckNoPublicAccess 32 | * CreateAccessPreview 33 | * CreateAnalyzer 34 | * CreateArchiveRule 35 | * DeleteAnalyzer 36 | * DeleteArchiveRule 37 | * GenerateFindingRecommendation 38 | * GetAccessPreview 39 | * GetAnalyzedResource 40 | * GetAnalyzer 41 | * GetArchiveRule 42 | * GetFinding 43 | * GetFindingV2 44 | * GetGeneratedPolicy 45 | * ListAccessPreviewFindings 46 | * ListAccessPreviews 47 | * ListAnalyzedResources 48 | * ListAnalyzers 49 | * ListArchiveRules 50 | * ListFindings 51 | * ListFindingsV2 52 | * ListPolicyGenerations 53 | * ListTagsForResource 54 | * StartPolicyGeneration 55 | * StartResourceScan 56 | * TagResource 57 | * UntagResource 58 | * UpdateArchiveRule 59 | * UpdateFindings 60 | * ValidatePolicy 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /service_specific_guidance/kinesis-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: Amazon Kinesis 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Kinesis. 5 | 6 | 7 | Amazon Kinesis is a managed service that enables real-time processing and analysis of streaming data at scale. It allows you to collect, process, and analyze large volumes of data from various sources such as IoT devices, logs, and social media feeds in near real-time. Kinesis provides multiple capabilities including data streams, data firehose, and data analytics, making it easier for developers to build applications that can react to incoming data quickly and efficiently. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | **List of service APIs reviewed against data perimeter control objectives** 25 | * AddTagsToStream 26 | * CreateStream 27 | * DecreaseStreamRetentionPeriod 28 | * DeleteResourcePolicy 29 | * DeleteStream 30 | * DeregisterStreamConsumer 31 | * DescribeLimits 32 | * DescribeStream 33 | * DescribeStreamConsumer 34 | * DescribeStreamSummary 35 | * DisableEnhancedMonitoring 36 | * EnableEnhancedMonitoring 37 | * GetRecords 38 | * GetResourcePolicy 39 | * GetShardIterator 40 | * IncreaseStreamRetentionPeriod 41 | * ListShards 42 | * ListStreamConsumers 43 | * ListStreams 44 | * ListTagsForStream 45 | * PutRecord 46 | * PutRecords 47 | * PutResourcePolicy 48 | * RegisterStreamConsumer 49 | * RemoveTagsFromStream 50 | * SplitShard 51 | * StartStreamEncryption 52 | * StopStreamEncryption 53 | * SubscribeToShard 54 | * UpdateShardCount 55 | * UpdateStreamMode 56 | -------------------------------------------------------------------------------- /resource_control_policies/network_perimeter_sourcevpc_rcp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceNetworkPerimeterSourceVPC", 6 | "Effect":"Deny", 7 | "Principal":"*", 8 | "Action":[ 9 | "sqs:*", 10 | "secretsmanager:*", 11 | "sts:AssumeRole", 12 | "sts:DecodeAuthorizationMessage", 13 | "sts:GetAccessKeyInfo", 14 | "sts:GetFederationToken", 15 | "sts:GetServiceBearerToken", 16 | "sts:GetSessionToken", 17 | "sts:SetContext", 18 | "aoss:*", 19 | "ecr:*" 20 | ], 21 | "Resource":"*", 22 | "Condition":{ 23 | "NotIpAddressIfExists":{ 24 | "aws:SourceIp":"" 25 | }, 26 | "StringNotEqualsIfExists":{ 27 | "aws:SourceVpc":"", 28 | "aws:PrincipalTag/dp:exclude:network":"true", 29 | "aws:PrincipalAccount":[ 30 | "", 31 | "", 32 | "", 33 | "" 34 | ], 35 | "aws:ResourceTag/dp:exclude:network":"true" 36 | }, 37 | "BoolIfExists":{ 38 | "aws:PrincipalIsAWSService":"false", 39 | "aws:ViaAWSService":"false" 40 | }, 41 | "ArnNotLikeIfExists":{ 42 | "aws:PrincipalArn":[ 43 | "arn:aws:iam::*:role/aws:ec2-infrastructure" 44 | ] 45 | }, 46 | "StringEquals":{ 47 | "aws:PrincipalTag/dp:include:network":"true" 48 | } 49 | } 50 | }, 51 | { 52 | "Sid":"SourceVPCRegion", 53 | "Effect":"Deny", 54 | "Action":"*", 55 | "Resource":"*", 56 | "Condition":{ 57 | "StringEquals":{ 58 | "aws:SourceVpc":"" 59 | }, 60 | "StringNotEqualsIfExists":{ 61 | "aws:RequestedRegion":"" 62 | } 63 | } 64 | }, 65 | { 66 | "Sid":"SourceVPCRegion2", 67 | "Effect":"Deny", 68 | "Action":"*", 69 | "Resource":"*", 70 | "Condition":{ 71 | "StringEquals":{ 72 | "aws:SourceVpc":"" 73 | }, 74 | "StringNotEqualsIfExists":{ 75 | "aws:RequestedRegion":"" 76 | } 77 | } 78 | } 79 | ] 80 | } -------------------------------------------------------------------------------- /service_specific_guidance/cloudwatch-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: Amazon CloudWatch 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for Amazon CloudWatch. 5 | 6 | 7 | Amazon CloudWatch is a monitoring and observability service that provides real-time insights into AWS resources, applications, and services. It collects and tracks metrics, logs, and events, allowing users to set alarms, visualize data with automated dashboards, and take automated actions based on predefined thresholds. CloudWatch enables AWS customers to gain system-wide visibility, optimize resource utilization, and respond quickly to operational issues. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **List of service APIs reviewed against data perimeter control objectives** 27 | * DeleteAlarms 28 | * DeleteAnomalyDetector 29 | * DeleteDashboards 30 | * DeleteInsightRules 31 | * DeleteMetricStream 32 | * DescribeAlarmHistory 33 | * DescribeAlarms 34 | * DescribeAlarmsForMetric 35 | * DescribeAnomalyDetectors 36 | * DescribeInsightRules 37 | * DisableAlarmActions 38 | * DisableInsightRules 39 | * EnableAlarmActions 40 | * EnableInsightRules 41 | * GetDashboard 42 | * GetInsightRuleReport 43 | * GetMetricData 44 | * GetMetricStatistics 45 | * GetMetricStream 46 | * GetMetricWidgetImage 47 | * ListDashboards 48 | * ListManagedInsightRules 49 | * ListMetrics 50 | * ListMetricStreams 51 | * ListTagsForResource 52 | * PutAnomalyDetector 53 | * PutCompositeAlarm 54 | * PutDashboard 55 | * PutInsightRule 56 | * PutManagedInsightRules 57 | * PutMetricAlarm 58 | * PutMetricData 59 | * PutMetricStream 60 | * SetAlarmState 61 | * StartMetricStreams 62 | * StopMetricStreams 63 | * TagResource 64 | * UntagResource 65 | -------------------------------------------------------------------------------- /resource_control_policies/service_specific_controls/sns_topic_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceIdentityPerimeter", 6 | "Effect":"Deny", 7 | "Principal":"*", 8 | "Action":[ 9 | "sns:GetTopicAttributes", 10 | "sns:SetTopicAttributes", 11 | "sns:AddPermission", 12 | "sns:RemovePermission", 13 | "sns:DeleteTopic", 14 | "sns:Subscribe", 15 | "sns:ListSubscriptionsByTopic", 16 | "sns:Publish" 17 | ], 18 | "Resource":"*", 19 | "Condition":{ 20 | "StringNotEqualsIfExists":{ 21 | "aws:PrincipalOrgID":"", 22 | "aws:PrincipalAccount":[ 23 | "", 24 | "" 25 | ] 26 | }, 27 | "BoolIfExists":{ 28 | "aws:PrincipalIsAWSService":"false" 29 | } 30 | } 31 | }, 32 | { 33 | "Sid":"EnforceNetworkPerimeterSourceVPC", 34 | "Effect":"Deny", 35 | "Principal":"*", 36 | "Action":[ 37 | "sns:GetTopicAttributes", 38 | "sns:SetTopicAttributes", 39 | "sns:AddPermission", 40 | "sns:RemovePermission", 41 | "sns:DeleteTopic", 42 | "sns:Subscribe", 43 | "sns:ListSubscriptionsByTopic", 44 | "sns:Publish" 45 | ], 46 | "Resource":"*", 47 | "Condition":{ 48 | "NotIpAddressIfExists":{ 49 | "aws:SourceIp":"" 50 | }, 51 | "StringNotEqualsIfExists":{ 52 | "aws:SourceVpc":"", 53 | "aws:PrincipalTag/dp:exclude:network":"true", 54 | "aws:PrincipalAccount":[ 55 | "", 56 | "" 57 | ] 58 | }, 59 | "BoolIfExists":{ 60 | "aws:PrincipalIsAWSService":"false", 61 | "aws:ViaAWSService":"false" 62 | }, 63 | "ArnNotLikeIfExists":{ 64 | "aws:PrincipalArn":"arn:aws:iam:::role/aws-service-role/*" 65 | }, 66 | "StringEquals":{ 67 | "aws:PrincipalTag/dp:include:network":"true" 68 | } 69 | } 70 | }, 71 | { 72 | "Sid":"SourceVPCRegion", 73 | "Effect":"Deny", 74 | "Action":"*", 75 | "Resource":"*", 76 | "Condition":{ 77 | "StringEquals":{ 78 | "aws:SourceVpc":"" 79 | }, 80 | "StringNotEqualsIfExists":{ 81 | "aws:RequestedRegion":"" 82 | } 83 | } 84 | } 85 | ] 86 | } -------------------------------------------------------------------------------- /resource_control_policies/service_specific_controls/api_gateway_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Sid":"EnforceIdentityPerimeter", 6 | "Effect":"Deny", 7 | "Principal":"*", 8 | "Action":"*", 9 | "Resource":"*", 10 | "Condition":{ 11 | "StringNotEqualsIfExists":{ 12 | "aws:PrincipalOrgID":"", 13 | "aws:PrincipalAccount":[ 14 | "", 15 | "" 16 | ] 17 | }, 18 | "BoolIfExists":{ 19 | "aws:PrincipalIsAWSService":"false" 20 | } 21 | } 22 | }, 23 | { 24 | "Sid":"EnforceConfusedDeputyProtection", 25 | "Effect":"Deny", 26 | "Principal":"*", 27 | "Action":"*", 28 | "Resource":"*", 29 | "Condition":{ 30 | "StringNotEqualsIfExists":{ 31 | "aws:SourceOrgID":"", 32 | "aws:SourceAccount":[ 33 | "", 34 | "" 35 | ] 36 | }, 37 | "Null":{ 38 | "aws:SourceAccount":"false" 39 | }, 40 | "Bool":{ 41 | "aws:PrincipalIsAWSService":"true" 42 | } 43 | } 44 | }, 45 | { 46 | "Sid":"EnforceNetworkPerimeterSourceVPC", 47 | "Effect":"Deny", 48 | "Principal":"*", 49 | "Action":"*", 50 | "Resource":"*", 51 | "Condition":{ 52 | "NotIpAddressIfExists":{ 53 | "aws:SourceIp":"" 54 | }, 55 | "StringNotEqualsIfExists":{ 56 | "aws:SourceVpc":"", 57 | "aws:PrincipalTag/dp:exclude:network":"true", 58 | "aws:PrincipalAccount":[ 59 | "", 60 | "" 61 | ] 62 | }, 63 | "BoolIfExists":{ 64 | "aws:PrincipalIsAWSService":"false", 65 | "aws:ViaAWSService":"false" 66 | }, 67 | "ArnNotLikeIfExists":{ 68 | "aws:PrincipalArn":"arn:aws:iam:::role/aws-service-role/*" 69 | }, 70 | "StringEquals":{ 71 | "aws:PrincipalTag/dp:include:network":"true" 72 | } 73 | } 74 | }, 75 | { 76 | "Sid":"SourceVPCRegion", 77 | "Effect":"Deny", 78 | "Action":"*", 79 | "Resource":"*", 80 | "Condition":{ 81 | "StringEquals":{ 82 | "aws:SourceVpc":"" 83 | }, 84 | "StringNotEqualsIfExists":{ 85 | "aws:RequestedRegion":"" 86 | } 87 | } 88 | } 89 | ] 90 | } -------------------------------------------------------------------------------- /service_specific_guidance/cloudfront-keyvaluestore-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Data perimeter accelerator 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon CloudFront KeyValue Store. 6 | 7 | Amazon CloudFront KeyValue Store is a feature of Amazon CloudFront that allows you to store and retrieve small amounts of data with low latency at CloudFront edge locations. It enables you to enhance your web applications by storing and accessing frequently used data closer to your users, improving performance and reducing the load on your origin servers. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | **Additional consideration 1:** 25 | 26 | Perimeter type applicability: identity and resource perimeter applied on network. 27 | 28 | The service does not currently support VPC endpoint policies. 29 | 30 | If you want to restrict access to your networks to trusted identities and trusted resources, consider implementing these additional controls: 31 | 32 | * **Preventative control example 1**: Consider implementing `aws:ResourceOrgID` in an SCP to restrict service API calls so that your identities can only access trusted resources. See [resource_perimeter_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/resource_perimeter_scp.json) for an example policy. 33 | * **Preventative control example 2**: Consider using your existing security appliances such as outbound proxies to inspect service API calls in your environment for the identities making the calls and resources being accessed, and restrict the calls accordingly. This type of solution might have implications for security, scalability, latency, and reliability that you should evaluate carefully. 34 | 35 | 36 | **List of service APIs reviewed against data perimeter control objectives** 37 | 38 | * DeleteKey 39 | * DescribeKeyValueStore 40 | * GetKey 41 | * ListKeys 42 | * PutKey 43 | * UpdateKeys 44 | 45 | 46 | -------------------------------------------------------------------------------- /service_specific_guidance/artifact-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS Artifact 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS Artifact. 6 | 7 | AWS Artifact is a self-service portal that provides on-demand access to AWS' compliance reports and agreements. It allows customers to download AWS security and compliance documents, such as ISO certifications, PCI reports, and SOC reports, to support their regulatory and compliance requirements. AWS Artifact helps organizations demonstrate AWS infrastructure compliance to auditors and regulators. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **Additional consideration 1** 27 | 28 | Perimeter type applicability: identity and resource perimeter applied on network. 29 | 30 | The service does not currently support VPC endpoint policies. 31 | 32 | If you want to restrict access to your networks to trusted identities and trusted resources, consider implementing these additional controls: 33 | 34 | * **Preventative control example 1**: Consider implementing `aws:ResourceOrgID` in an SCP to restrict service calls so that your identities can only access trusted resources. See [resource_perimeter_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/resource_perimeter_scp.json) for an example policy. 35 | * **Preventative control example 2**: Consider using your existing security appliances such as outbound proxies to inspect service API calls in your environment for the identities making the calls and resources being accessed, and restrict the calls accordingly. This type of solution might have implications for security, scalability, latency, and reliability that you should evaluate carefully. 36 | 37 | 38 | 39 | 40 | 41 | 42 | **List of service APIs reviewed against data perimeter control objectives** 43 | 44 | * GetAccountSettings 45 | * GetReport 46 | * GetReportMetadata 47 | * GetTermForReport 48 | * ListReports 49 | * PutAccountSettings 50 | -------------------------------------------------------------------------------- /service_specific_guidance/README.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Description 6 | 7 | This folder contains service-specific documents with additional considerations that you might want to review and consider when implementing a data perimeter for a service. Each service-specific document contains a list of service APIs reviewed against data perimeter control objectives to assess whether additional considerations apply to a service within the scope of current analysis. 8 | 9 | For each consideration, we provide prescriptive guidance about controls you might want to implement in addition to the [general data perimeter guidance and default policies](../#General-data-perimeter-guidance). 10 | 11 | The following are the types of additional controls that you might want to consider: 12 | * **Preventative controls**: Security controls designed to prevent actions that lead to deviations from your data perimeter baseline. These controls are implemented by using [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) or [resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html). 13 | * **Proactive controls**: Security controls designed to prevent resource configurations that lead to deviations from your data perimeter baseline. These controls are implemented through automated checks within deployment pipelines, such as those supported with [AWS CloudFormation Hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/what-is-cloudformation-hooks.html). Though we primarily use CloudFormation hooks in the prescriptive guidance, you can implement policy-as-code checks by using your preferred infrastructure as code (IaC) tooling. 14 | * **Detective controls**: Security controls designed to detect actions or resource configurations that lead to deviations from your data perimeter baseline. These controls can be implemented by using [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) ([management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-events.html#cloudtrail-management-events), [data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-events.html#cloudtrail-data-events), [network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-events.html#cloudtrail-network-events)), [AWS Config](https://aws.amazon.com/config/), and your preferred log analysis tools. If necessary, you can remediate detected deviations with the responsive controls of your choice. 15 | 16 | Based on your risk-mitigation strategy, determine which of these control types to apply for additional considerations outlined in each service-specific document. 17 | 18 | When AWS services make calls to other services on your behalf, you might need to review service-specific guidance for all services in use to implement appropriate controls. For example, when using services that store data using your Amazon S3 buckets, consider implementing data perimeter controls for Amazon S3 by consulting S3-specific guidance for comprehensive control coverage. 19 | -------------------------------------------------------------------------------- /service_specific_guidance/eks-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: Amazon Elastic Kubernetes Service 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Elastic Kubernetes Service (Amazon EKS). 5 | 6 | 7 | Amazon EKS is a managed container orchestration service that simplifies the deployment, management, and scaling of containerized applications using Kubernetes. It provides a fully managed Kubernetes control plane, integrates seamlessly with other AWS services, and allows customers to run Kubernetes applications on AWS or on-premises with consistent operations. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **List of service APIs reviewed against data perimeter control objectives** 27 | * AssociateAccessPolicy 28 | * AssociateEncryptionConfig 29 | * AssociateIdentityProviderConfig 30 | * CreateAccessEntry 31 | * CreateAddon 32 | * CreateCluster 33 | * CreateFargateProfile 34 | * CreateNodegroup 35 | * CreatePodIdentityAssociation 36 | * DeleteAccessEntry 37 | * DeleteAddon 38 | * DeleteCluster 39 | * DeleteFargateProfile 40 | * DeleteNodegroup 41 | * DeletePodIdentityAssociation 42 | * DeregisterCluster 43 | * DescribeAccessEntry 44 | * DescribeAddon 45 | * DescribeAddonConfiguration 46 | * DescribeAddonVersions 47 | * DescribeCluster 48 | * DescribeEksAnywhereSubscription 49 | * DescribeFargateProfile 50 | * DescribeIdentityProviderConfig 51 | * DescribeInsight 52 | * DescribeNodegroup 53 | * DescribePodIdentityAssociation 54 | * DescribeUpdate 55 | * DisassociateAccessPolicy 56 | * DisassociateIdentityProviderConfig 57 | * ListAccessEntries 58 | * ListAccessPolicies 59 | * ListAddons 60 | * ListAssociatedAccessPolicies 61 | * ListClusters 62 | * ListEksAnywhereSubscriptions 63 | * ListFargateProfiles 64 | * ListIdentityProviderConfigs 65 | * ListInsights 66 | * ListNodegroups 67 | * ListPodIdentityAssociations 68 | * ListTagsForResource 69 | * ListUpdates 70 | * RegisterCluster 71 | * TagResource 72 | * UntagResource 73 | * UpdateAccessEntry 74 | * UpdateAddon 75 | * UpdateClusterConfig 76 | * UpdateClusterVersion 77 | * UpdateEksAnywhereSubscription 78 | * UpdateNodegroupConfig 79 | * UpdateNodegroupVersion 80 | * UpdatePodIdentityAssociation 81 | -------------------------------------------------------------------------------- /service_specific_guidance/kafka-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: Amazon Managed Streaming for Apache Kafka 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Managed Streaming for Apache Kafka. 5 | 6 | 7 | Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that makes it easy to build and run applications using Apache Kafka to process streaming data. It provides the control-plane operations, such as creating, updating, and deleting clusters, while automating complex Apache Kafka administrative tasks like broker node replacement and software upgrades. Amazon MSK enables you to quickly set up, scale, and manage Apache Kafka clusters in the cloud without the need for Apache Kafka infrastructure management expertise. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | **List of service APIs reviewed against data perimeter control objectives** 25 | * BatchAssociateScramSecret 26 | * BatchDisassociateScramSecret 27 | * CreateCluster 28 | * CreateClusterV2 29 | * CreateConfiguration 30 | * CreateReplicator 31 | * CreateVpcConnection 32 | * DeleteCluster 33 | * DeleteClusterPolicy 34 | * DeleteConfiguration 35 | * DeleteReplicator 36 | * DeleteVpcConnection 37 | * DescribeCluster 38 | * DescribeClusterOperation 39 | * DescribeClusterOperationV2 40 | * DescribeClusterV2 41 | * DescribeConfiguration 42 | * DescribeConfigurationRevision 43 | * DescribeReplicator 44 | * DescribeVpcConnection 45 | * GetBootstrapBrokers 46 | * GetClusterPolicy 47 | * GetCompatibleKafkaVersions 48 | * ListClientVpcConnections 49 | * ListClusterOperations 50 | * ListClusterOperationsV2 51 | * ListClusters 52 | * ListClustersV2 53 | * ListConfigurationRevisions 54 | * ListConfigurations 55 | * ListKafkaVersions 56 | * ListNodes 57 | * ListReplicators 58 | * ListScramSecrets 59 | * ListTagsForResource 60 | * ListVpcConnections 61 | * PutClusterPolicy 62 | * RebootBroker 63 | * TagResource 64 | * UntagResource 65 | * UpdateBrokerCount 66 | * UpdateBrokerStorage 67 | * UpdateBrokerType 68 | * UpdateClusterConfiguration 69 | * UpdateClusterKafkaVersion 70 | * UpdateConfiguration 71 | * UpdateMonitoring 72 | * UpdateReplicationInfo 73 | * UpdateSecurity 74 | * UpdateStorage 75 | -------------------------------------------------------------------------------- /service_specific_guidance/acm-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS Certificate Manager 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS Certificate Manager (ACM). 6 | 7 | ACM is a service that simplifies the process of provisioning, managing, and deploying public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM handles the complexity of creating, storing, and renewing SSL/TLS certificates, helping you secure your applications and websites while reducing the time-consuming manual process of managing certificates. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **Additional consideration 1** 27 | 28 | Perimeter type applicability: identity and resource perimeter applied on network. 29 | 30 | The service does not currently support VPC endpoint policies. 31 | 32 | If you want to restrict access to your networks to trusted identities and trusted resources, consider implementing these additional controls: 33 | 34 | * **Preventative control example 1**: Consider implementing `aws:ResourceOrgID` in an SCP to restrict service API calls so that your identities can only access trusted resources. See [resource_perimeter_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/resource_perimeter_scp.json) for an example policy. 35 | * **Preventative control example 2**: Consider using your existing security appliances such as outbound proxies to inspect service API calls in your environment for the identities making the calls and resources being accessed, and restrict the calls accordingly. This type of solution might have implications for security, scalability, latency, and reliability that you should evaluate carefully. 36 | 37 | 38 | **List of service APIs reviewed against data perimeter control objectives** 39 | 40 | * AddTagsToCertificate 41 | * DeleteCertificate 42 | * DescribeCertificate 43 | * ExportCertificate 44 | * GetAccountConfiguration 45 | * GetCertificate 46 | * ImportCertificate 47 | * ListCertificates 48 | * ListTagsForCertificate 49 | * PutAccountConfiguration 50 | * RemoveTagsFromCertificate 51 | * RenewCertificate 52 | * RequestCertificate 53 | * UpdateCertificateOptions 54 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE-SUMMARY) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /service_control_policies/resource_perimeter_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid":"EnforceResourcePerimeterAWSResources", 6 | "Effect":"Deny", 7 | "Action":"*", 8 | "NotResource": [ 9 | "arn:aws:iam::aws:policy/*", 10 | "arn:aws:ssm:*::document/*", 11 | "arn:aws:ssm:*::parameter/*", 12 | "arn:aws:ssm:*::automation-definition/*", 13 | "arn:aws:imagebuilder:*:aws:component/*", 14 | "arn:aws:imagebuilder:*:aws:image/*", 15 | "arn:aws:ec2:*:aws:prefix-list/*", 16 | "arn:aws:lambda:*::layer:*", 17 | "arn:aws:ecr:*::repository/*", 18 | "arn:aws:s3:::aws-glue-studio-transforms--prod-/*", 19 | "arn:aws:s3:::elasticbeanstalk-samples-/*", 20 | "arn:aws:s3:::elasticbeanstalk-platform-assets-/*", 21 | "arn:aws:s3:::elasticbeanstalk-env-resources-/*", 22 | "arn:aws:s3:::elasticbeanstalk-/*", 23 | "arn:aws:s3:::jumpstart-cache-prod-/*", 24 | "arn:aws:s3:::jumpstart-cache-prod-", 25 | "arn:aws:cloudformation:*:aws:transform/*", 26 | "arn:aws:s3:::aws-synthetics-library-/*", 27 | "arn:aws:s3:::aws-data-exchange", 28 | "arn:aws:s3:::sc--/*", 29 | "arn:aws:s3:::aws-neptune-notebook", 30 | "arn:aws:s3:::aws-neptune-notebook/*", 31 | "arn:aws:s3:::aws-neptune-notebook-", 32 | "arn:aws:s3:::aws-neptune-notebook-/*", 33 | "" 34 | ], 35 | "Condition":{ 36 | "StringNotEqualsIfExists":{ 37 | "aws:ResourceOrgID":"", 38 | "ec2:Owner":"amazon", 39 | "aws:PrincipalTag/dp:exclude:resource": "true" 40 | } 41 | } 42 | }, 43 | { 44 | "Sid":"EnforceResourcePerimeterAWSResourcesS3", 45 | "Effect":"Deny", 46 | "Action":"*", 47 | "Resource":[ 48 | "arn:aws:s3:::aws-data-exchange", 49 | "arn:aws:s3:::sc--/*" 50 | ], 51 | "Condition":{ 52 | "StringNotEqualsIfExists":{ 53 | "aws:ResourceOrgID":"", 54 | "aws:PrincipalTag/dp:exclude:resource": "true" 55 | }, 56 | "ForAllValues:StringNotEquals":{ 57 | "aws:CalledVia":[ 58 | "dataexchange.amazonaws.com", 59 | "servicecatalog.amazonaws.com" 60 | ] 61 | } 62 | } 63 | }, 64 | { 65 | "Sid":"EnforceResourcePerimeterThirdPartyResources", 66 | "Effect":"Deny", 67 | "Action":"*", 68 | "Resource":[ 69 | "" 70 | ], 71 | "Condition":{ 72 | "StringNotEqualsIfExists":{ 73 | "aws:PrincipalTag/dp:exclude:resource": "true", 74 | "aws:ResourceAccount": [ 75 | "", 76 | "" 77 | ] 78 | } 79 | } 80 | } 81 | ] 82 | } 83 | -------------------------------------------------------------------------------- /service_specific_guidance/acm-pca-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS Private Certificate Authority 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS Private Certificate Authority (AWS Private CA). 6 | 7 | AWS Private CA is a managed service that allows you to create and manage private certificate authorities (CAs) within your organization. It enables you to issue and manage private certificates for your internal applications, services, and devices, providing secure communication and authentication within your AWS environment and on-premises infrastructure. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | **Additional consideration 1** 26 | 27 | Perimeter type applicability: resource perimeter applied on identity. 28 | 29 | CreateCertificateAuthorityAuditReport allows you to specify an S3 bucket that does not belong to your organization as the value for the S3BucketName request parameter. Because the subsequent PutObject call against the S3 bucket is performed by the service principal, it is not restricted with `aws:ResourceOrgID` implemented in an SCP. 30 | 31 | If you want to restrict access to trusted resources, consider implementing these additional controls: 32 | 33 | * **Detective control example:** Consider using CloudTrail management events to monitor the [CreateCertificateAuthorityAuditReport](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html) API calls in your environment (specifically, the [S3BucketName](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html#privateca-CreateCertificateAuthorityAuditReport-request-S3BucketName) request parameter). If necessary, remediate with the responsive controls of your choice. 34 | 35 | 36 | 37 | 38 | 39 | **List of service APIs reviewed against data perimeter control objectives** 40 | 41 | * CreateCertificateAuthority 42 | * CreateCertificateAuthorityAuditReport 43 | * CreatePermission 44 | * DeleteCertificateAuthority 45 | * DeletePermission 46 | * DeletePolicy 47 | * DescribeCertificateAuthority 48 | * DescribeCertificateAuthorityAuditReport 49 | * GetCertificate 50 | * GetCertificateAuthorityCertificate 51 | * GetCertificateAuthorityCsr 52 | * GetPolicy 53 | * IssueCertificate 54 | * ListCertificateAuthorities 55 | * ListPermissions 56 | * ListTags 57 | * PutPolicy 58 | * RestoreCertificateAuthority 59 | * TagCertificateAuthority 60 | * UntagCertificateAuthority 61 | * UpdateCertificateAuthority 62 | -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventUntrustedSNSEmailSubscriptions", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "sns:Subscribe" 9 | ], 10 | "Resource": "*", 11 | "Condition": { 12 | "StringEquals": { 13 | "sns:Protocol": "email" 14 | }, 15 | "StringNotLike": { 16 | "sns:Endpoint": "*@" 17 | }, 18 | "StringNotEqualsIfExists": { 19 | "aws:PrincipalTag/dp:exclude:resource": "true" 20 | } 21 | } 22 | }, 23 | { 24 | "Sid": "PreventEventBridgeAPIDestinations", 25 | "Effect": "Deny", 26 | "Action": [ 27 | "events:PutTargets" 28 | ], 29 | "Resource": "*", 30 | "Condition": { 31 | "ForAnyValue:ArnLike": { 32 | "events:TargetArn": "arn:aws:events:*:*:api-destination/*" 33 | }, 34 | "StringNotEqualsIfExists": { 35 | "aws:PrincipalTag/dp:exclude:resource": "true" 36 | } 37 | } 38 | }, 39 | { 40 | "Sid": "PreventUntrustedStepFunctionsHTTPSAPI", 41 | "Effect": "Deny", 42 | "Action": [ 43 | "states:InvokeHTTPEndpoint" 44 | ], 45 | "Resource": "*", 46 | "Condition": { 47 | "StringNotLike": { 48 | "states:HTTPEndpoint": "" 49 | }, 50 | "StringNotEqualsIfExists": { 51 | "aws:PrincipalTag/dp:exclude:resource": "true" 52 | } 53 | } 54 | }, 55 | { 56 | "Sid": "PreventUntrustedSESv1Emails", 57 | "Effect": "Deny", 58 | "Action": [ 59 | "ses:SendBulkTemplatedEmail", 60 | "ses:SendEmail", 61 | "ses:SendRawEmail", 62 | "ses:SendTemplatedEmail" 63 | ], 64 | "Resource": "*", 65 | "Condition": { 66 | "ForAnyValue:StringNotLike": { 67 | "ses:Recipients": [ 68 | "*@" 69 | ] 70 | }, 71 | "StringEquals": { 72 | "ses:ApiVersion": "1" 73 | }, 74 | "StringNotEqualsIfExists": { 75 | "aws:PrincipalTag/dp:exclude:resource": "true" 76 | } 77 | } 78 | }, 79 | { 80 | "Sid": "PreventUntrustedSESv2Emails", 81 | "Effect": "Deny", 82 | "Action": [ 83 | "ses:SendEmail" 84 | ], 85 | "Resource": "*", 86 | "Condition": { 87 | "ForAnyValue:StringNotLike": { 88 | "ses:Recipients": [ 89 | "*@" 90 | ] 91 | }, 92 | "StringEquals": { 93 | "ses:ApiVersion": "2" 94 | }, 95 | "StringNotEqualsIfExists": { 96 | "aws:PrincipalTag/dp:exclude:resource": "true" 97 | } 98 | } 99 | }, 100 | { 101 | "Sid": "PreventUntrustedSESVerificationEmails", 102 | "Effect": "Deny", 103 | "Action": [ 104 | "ses:SendCustomVerificationEmail" 105 | ], 106 | "Resource": "*", 107 | "Condition": { 108 | "StringNotEqualsIfExists": { 109 | "aws:PrincipalTag/dp:exclude:resource": "true" 110 | } 111 | } 112 | } 113 | ] 114 | } -------------------------------------------------------------------------------- /resource_control_policies/identity_perimeter_rcp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceOrgIdentities", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": [ 9 | "s3:*", 10 | "sqs:*", 11 | "kms:*", 12 | "secretsmanager:*", 13 | "sts:AssumeRole", 14 | "sts:DecodeAuthorizationMessage", 15 | "sts:GetAccessKeyInfo", 16 | "sts:GetFederationToken", 17 | "sts:GetServiceBearerToken", 18 | "sts:GetSessionToken", 19 | "sts:SetContext", 20 | "aoss:*", 21 | "ecr:*" 22 | ], 23 | "Resource": "*", 24 | "Condition": { 25 | "StringNotEqualsIfExists": { 26 | "aws:PrincipalOrgID": "", 27 | "aws:PrincipalAccount": [ 28 | "", 29 | "", 30 | "", 31 | "" 32 | ], 33 | "aws:ResourceTag/dp:exclude:identity": "true" 34 | }, 35 | "BoolIfExists": { 36 | "aws:PrincipalIsAWSService": "false" 37 | } 38 | } 39 | }, 40 | { 41 | "Sid": "EnforceTrustedOIDCTenants", 42 | "Effect": "Deny", 43 | "Principal": "*", 44 | "Action": "sts:AssumeRoleWithWebIdentity", 45 | "Resource": "*", 46 | "Condition": { 47 | "StringNotEqualsIfExists": { 48 | ":sub": "", 49 | "aws:ResourceTag/dp:exclude:identity": "true" 50 | }, 51 | "Null": { 52 | ":sub": "false" 53 | } 54 | } 55 | }, 56 | { 57 | "Sid": "EnforceTrustedOIDCProviders", 58 | "Effect": "Deny", 59 | "Principal": "*", 60 | "Action": "sts:AssumeRoleWithWebIdentity", 61 | "Resource": "*", 62 | "Condition": { 63 | "Null": { 64 | ":sub": "true", 65 | ":sub": "true" 66 | } 67 | } 68 | }, 69 | { 70 | "Sid": "EnforceConfusedDeputyProtection", 71 | "Effect": "Deny", 72 | "Principal": "*", 73 | "Action": [ 74 | "s3:*", 75 | "sqs:*", 76 | "kms:*", 77 | "secretsmanager:*", 78 | "sts:*", 79 | "aoss:*", 80 | "ecr:*" 81 | ], 82 | "Resource": "*", 83 | "Condition": { 84 | "StringNotEqualsIfExists": { 85 | "aws:SourceOrgID": "", 86 | "aws:SourceAccount": [ 87 | "", 88 | "" 89 | ], 90 | "aws:ResourceTag/dp:exclude:identity": "true" 91 | }, 92 | "Null": { 93 | "aws:SourceAccount": "false" 94 | }, 95 | "Bool": { 96 | "aws:PrincipalIsAWSService": "true" 97 | } 98 | } 99 | } 100 | ] 101 | } -------------------------------------------------------------------------------- /service_specific_guidance/schemas-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: Amazon EventBridge schemas 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for Amazon EventBridge schemas. 5 | 6 | 7 | Amazon EventBridge Schemas is a service that helps developers discover, create, and manage schemas for events in EventBridge. It automatically infers schemas from events passing through EventBridge, making it easier to build applications that react to these events. The service also provides a registry for storing and sharing schemas, enabling developers to maintain consistency across their event-driven applications. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | Y | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | Y | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | **Additional consideration 1** 24 | 25 | Perimeter type applicability: identity and network perimeter applied on resource. 26 | 27 | PutResourcePolicy allows you to apply a resource-based policy to grant access to a registry. The service currently does not support RCPs. 28 | 29 | If you want to restrict access to trusted identities and expected networks, consider implementing these additional controls: 30 | 31 | * **Preventative control example**: Consider restricting [PutResourcePolicy](https://docs.aws.amazon.com/eventbridge/latest/schema-reference/v1-policy.html#PutResourcePolicy) permissions to administrators only using an SCP. See [restrict_resource_policy_configurations_scp.json](../service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json) for an example policy. 32 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying [Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-eventschemas-registrypolicy.html#cfn-eventschemas-registrypolicy-policy) properties for the [AWS::EventSchemas::RegistryPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-eventschemas-registrypolicy.html) resource that grants permissions to untrusted identities or unexpected networks. 33 | * **Detective control example:** Consider using CloudTrail management events to monitor the [PutResourcePolicy](https://docs.aws.amazon.com/eventbridge/latest/schema-reference/v1-policy.html#PutResourcePolicy) API calls in your environment (specifically, the [Policy](https://docs.aws.amazon.com/eventbridge/latest/schema-reference/v1-policy.html#v1-policy-prop-putresourcepolicyinput-policy) request parameter). If necessary, remediate with the responsive controls of your choice. 34 | 35 | 36 | **List of service APIs reviewed against data perimeter control objectives** 37 | * CreateDiscoverer 38 | * CreateRegistry 39 | * CreateSchema 40 | * DeleteDiscoverer 41 | * DeleteRegistry 42 | * DeleteResourcePolicy 43 | * DeleteSchema 44 | * DescribeCodeBinding 45 | * DescribeDiscoverer 46 | * DescribeRegistry 47 | * DescribeSchema 48 | * ExportSchema 49 | * GetCodeBindingSource 50 | * GetDiscoveredSchema 51 | * GetResourcePolicy 52 | * ListDiscoverers 53 | * ListRegistries 54 | * ListSchemaVersions 55 | * ListSchemas 56 | * ListTagsForResource 57 | * PutCodeBinding 58 | * PutResourcePolicy 59 | * SearchSchemas 60 | * StartDiscoverer 61 | * StopDiscoverer 62 | * TagResource 63 | * UntagResource 64 | * UpdateDiscoverer 65 | * UpdateRegistry 66 | * UpdateSchema 67 | -------------------------------------------------------------------------------- /service_specific_guidance/backup-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: AWS Backup 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for AWS Backup. 5 | 6 | 7 | AWS Backup is a fully managed backup service that simplifies and centralizes the backup of data across AWS services, including Amazon EBS volumes, Amazon RDS databases, Amazon DynamoDB tables, Amazon EFS file systems, and more. It provides a unified way to create, manage, and automate backup policies, ensuring data protection and compliance with regulatory requirements. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | **List of service APIs reviewed against data perimeter control objectives** 25 | * CancelLegalHold 26 | * CreateBackupPlan 27 | * CreateBackupSelection 28 | * CreateBackupVault 29 | * CreateFramework 30 | * CreateLegalHold 31 | * CreateLogicallyAirGappedBackupVault 32 | * CreateReportPlan 33 | * CreateRestoreTestingPlan 34 | * CreateRestoreTestingSelection 35 | * DeleteBackupPlan 36 | * DeleteBackupSelection 37 | * DeleteBackupVault 38 | * DeleteBackupVaultAccessPolicy 39 | * DeleteBackupVaultLockConfiguration 40 | * DeleteBackupVaultNotifications 41 | * DeleteFramework 42 | * DeleteRecoveryPoint 43 | * DeleteReportPlan 44 | * DeleteRestoreTestingPlan 45 | * DeleteRestoreTestingSelection 46 | * DescribeBackupJob 47 | * DescribeBackupVault 48 | * DescribeCopyJob 49 | * DescribeFramework 50 | * DescribeGlobalSettings 51 | * DescribeProtectedResource 52 | * DescribeRecoveryPoint 53 | * DescribeRegionSettings 54 | * DescribeReportJob 55 | * DescribeReportPlan 56 | * DescribeRestoreJob 57 | * ExportBackupPlanTemplate 58 | * GetBackupPlan 59 | * GetBackupPlanFromJSON 60 | * GetBackupPlanFromTemplate 61 | * GetBackupSelection 62 | * GetBackupVaultAccessPolicy 63 | * GetBackupVaultNotifications 64 | * GetLegalHold 65 | * GetRecoveryPointRestoreMetadata 66 | * GetRestoreJobMetadata 67 | * GetRestoreTestingInferredMetadata 68 | * GetRestoreTestingPlan 69 | * GetRestoreTestingSelection 70 | * GetSupportedResourceTypes 71 | * ListBackupJobs 72 | * ListBackupJobSummaries 73 | * ListBackupPlans 74 | * ListBackupPlanTemplates 75 | * ListBackupPlanVersions 76 | * ListBackupSelections 77 | * ListBackupVaults 78 | * ListCopyJobs 79 | * ListCopyJobSummaries 80 | * ListFrameworks 81 | * ListLegalHolds 82 | * ListProtectedResources 83 | * ListProtectedResourcesByBackupVault 84 | * ListRecoveryPointsByBackupVault 85 | * ListRecoveryPointsByLegalHold 86 | * ListRecoveryPointsByResource 87 | * ListReportJobs 88 | * ListReportPlans 89 | * ListRestoreJobs 90 | * ListRestoreJobsByProtectedResource 91 | * ListRestoreJobSummaries 92 | * ListRestoreTestingPlans 93 | * ListRestoreTestingSelections 94 | * ListTags 95 | * PutBackupVaultAccessPolicy 96 | * PutBackupVaultLockConfiguration 97 | * PutBackupVaultNotifications 98 | * PutRestoreValidationResult 99 | * StartBackupJob 100 | * StartCopyJob 101 | * StartReportJob 102 | * StartRestoreJob 103 | * TagResource 104 | * UntagResource 105 | * UpdateBackupPlan 106 | * UpdateFramework 107 | * UpdateGlobalSettings 108 | * UpdateRecoveryPointLifecycle 109 | * UpdateRegionSettings 110 | * UpdateReportPlan 111 | * UpdateRestoreTestingPlan 112 | * UpdateRestoreTestingSelection 113 | -------------------------------------------------------------------------------- /service_specific_guidance/glacier-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: Amazon S3 Glacier 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon S3 Glacier. 6 | 7 | Amazon S3 Glacier is a secure, durable, and low-cost cloud storage service for data archiving and long-term backup. It is designed for infrequently accessed data with flexible retrieval options ranging from minutes to hours. S3 Glacier integrates with Amazon S3 to provide a complete data storage solution for cost-effective data lifecycle management. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | Y | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | Y | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **Additional consideration 1** 27 | 28 | Perimeter type applicability: identity and network perimeter applied on resource. 29 | 30 | SetVaultAccessPolicy allows you to apply a resource-based policy to grant access to a vault. The service currently does not support RCPs. 31 | 32 | 33 | If you want to restrict access to trusted identities and expected networks, consider implementing these additional controls: 34 | 35 | * **Preventative control example**: Consider restricting [SetVaultAccessPolicy](https://docs.aws.amazon.com/amazonglacier/latest/dev/api-SetVaultAccessPolicy.html) permissions to administrators only using an SCP. See [restrict_resource_policy_configurations_scp.json](../service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json) for an example policy. 36 | * **Detective control example:** Consider using CloudTrail management events to monitor the [SetVaultAccessPolicy](https://docs.aws.amazon.com/amazonglacier/latest/dev/api-SetVaultAccessPolicy.html) calls in your environment (specifically, the Policy request parameter). If necessary, remediate with the responsive controls of your choice. 37 | 38 | 39 | **Additional consideration 2** 40 | 41 | Perimeter type applicability: identity and resource perimeter applied on network. 42 | 43 | The service does not currently support VPC endpoint policies. 44 | 45 | If you want to restrict access to your networks to trusted identities and trusted resources, consider implementing these additional controls: 46 | 47 | * **Preventative control example 1**: Consider implementing `aws:ResourceOrgID` in an SCP to restrict service API calls so that your identities can only access trusted resources. See [resource_perimeter_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/resource_perimeter_scp.json) for an example policy. 48 | * **Preventative control example 2**: Consider using your existing security appliances such as outbound proxies to inspect service API calls in your environment for the identities making the calls and resources being accessed, and restrict the calls accordingly. This type of solution might have implications for security, scalability, latency, and reliability that you should evaluate carefully. 49 | 50 | 51 | 52 | 53 | 54 | 55 | **List of service APIs reviewed against data perimeter control objectives** 56 | 57 | * AbortMultipartUpload 58 | * AbortVaultLock 59 | * AddTagsToVault 60 | * CreateVault 61 | * DeleteArchive 62 | * DeleteVault 63 | * DeleteVaultAccessPolicy 64 | * DeleteVaultNotifications 65 | * DescribeJob 66 | * DescribeVault 67 | * GetDataRetrievalPolicy 68 | * GetVaultAccessPolicy 69 | * GetVaultLock 70 | * GetVaultNotifications 71 | * InitiateJob 72 | * InitiateMultipartUpload 73 | * InitiateVaultLock 74 | * ListJobs 75 | * ListMultipartUploads 76 | * ListParts 77 | * ListProvisionedCapacity 78 | * ListTagsForVault 79 | * ListVaults 80 | * RemoveTagsFromVault 81 | * SetDataRetrievalPolicy 82 | * SetVaultAccessPolicy 83 | * SetVaultNotifications 84 | * UploadArchive 85 | * UploadMultipartPart 86 | -------------------------------------------------------------------------------- /service_specific_guidance/route53-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Data perimeter accelerator 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Route 53. 6 | 7 | Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. It provides reliable and cost-effective domain registration, DNS routing, and health checking of resources. Route 53 enables you to manage traffic globally through a variety of routing types and seamlessly connects user requests to AWS and on-premises infrastructure. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | **Additional consideration 1:** 25 | 26 | Perimeter type applicability: identity and resource perimeter applied on network. 27 | 28 | The service does not currently support VPC endpoint policies. 29 | 30 | If you want to restrict access to your networks to trusted identities and trusted resources, consider implementing these additional controls: 31 | 32 | * **Preventative control example 1**: Consider implementing `aws:ResourceOrgID` in an SCP to restrict service API calls so that your identities can only access trusted resources. See [resource_perimeter_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/resource_perimeter_scp.json) for an example policy. 33 | * **Preventative control example 2**: Consider using your existing security appliances such as outbound proxies to inspect service API calls in your environment for the identities making the calls and resources being accessed, and restrict the calls accordingly. This type of solution might have implications for security, scalability, latency, and reliability that you should evaluate carefully. 34 | 35 | 36 | **List of service APIs reviewed against data perimeter control objectives** 37 | 38 | * ActivateKeySigningKey 39 | * AssociateVPCWithHostedZone 40 | * ChangeCidrCollection 41 | * ChangeResourceRecordSets 42 | * ChangeTagsForResource 43 | * CreateCidrCollection 44 | * CreateHealthCheck 45 | * CreateHostedZone 46 | * CreateKeySigningKey 47 | * CreateQueryLoggingConfig 48 | * CreateReusableDelegationSet 49 | * CreateTrafficPolicy 50 | * CreateTrafficPolicyInstance 51 | * CreateTrafficPolicyVersion 52 | * CreateVPCAssociationAuthorization 53 | * DeactivateKeySigningKey 54 | * DeleteCidrCollection 55 | * DeleteHealthCheck 56 | * DeleteHostedZone 57 | * DeleteKeySigningKey 58 | * DeleteQueryLoggingConfig 59 | * DeleteReusableDelegationSet 60 | * DeleteTrafficPolicy 61 | * DeleteTrafficPolicyInstance 62 | * DeleteVPCAssociationAuthorization 63 | * DisableHostedZoneDNSSEC 64 | * DisassociateVPCFromHostedZone 65 | * EnableHostedZoneDNSSEC 66 | * GetAccountLimit 67 | * GetChange 68 | * GetCheckerIpRanges 69 | * GetDNSSEC 70 | * GetGeoLocation 71 | * GetHealthCheck 72 | * GetHealthCheckCount 73 | * GetHealthCheckLastFailureReason 74 | * GetHealthCheckStatus 75 | * GetHostedZone 76 | * GetHostedZoneCount 77 | * GetHostedZoneLimit 78 | * GetQueryLoggingConfig 79 | * GetReusableDelegationSet 80 | * GetReusableDelegationSetLimit 81 | * GetTrafficPolicy 82 | * GetTrafficPolicyInstance 83 | * GetTrafficPolicyInstanceCount 84 | * ListCidrBlocks 85 | * ListCidrCollections 86 | * ListCidrLocations 87 | * ListGeoLocations 88 | * ListHealthChecks 89 | * ListHostedZones 90 | * ListHostedZonesByName 91 | * ListHostedZonesByVPC 92 | * ListQueryLoggingConfigs 93 | * ListResourceRecordSets 94 | * ListReusableDelegationSets 95 | * ListTagsForResource 96 | * ListTagsForResources 97 | * ListTrafficPolicies 98 | * ListTrafficPolicyInstances 99 | * ListTrafficPolicyInstancesByHostedZone 100 | * ListTrafficPolicyInstancesByPolicy 101 | * ListTrafficPolicyVersions 102 | * ListVPCAssociationAuthorizations 103 | * TestDNSAnswer 104 | * UpdateHealthCheck 105 | * UpdateHostedZoneComment 106 | * UpdateTrafficPolicyComment 107 | * UpdateTrafficPolicyInstance 108 | 109 | 110 | -------------------------------------------------------------------------------- /service_specific_guidance/kms-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS Key Management Service (KMS) 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS Key Management Service (KMS). 6 | 7 | AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. KMS integrates with other AWS services to help you protect the data you store in these services and control access to it. It provides a centralized system for managing keys across a wide range of AWS services and in your applications. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | Y | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **Additional consideration 1** 27 | 28 | Perimeter type applicability: identity perimeter applied on resource; resource perimeter applied on identity. 29 | 30 | CreateGrant allows you to create a grant for another account. 31 | 32 | If you want to restrict access so that only trusted identities can view information about your resources, consider implementing these additional controls: 33 | 34 | * **Preventative control example 1:** Consider implementing `aws:PrincipalOrgID` in an RCP to restrict service API calls so that your resources can only be accessed by trusted identities. See [identity_perimeter_rcp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/resource_control_policies/identity_perimeter_rcp.json) for an example policy. 35 | * **Preventative control example 2:** Consider restricting [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) permissions to administrators and AWS services only using an SCP. See [data_perimeter_governance_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/data_perimeter_governance_scp.json) for an example policy. 36 | * **Detective control example:** Consider using CloudTrail management events to monitor the [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) API calls in your environment (specifically, the [GranteePrincipal](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html#KMS-CreateGrant-request-GranteePrincipal) request parameter). If necessary, remediate with the responsive controls of your choice. 37 | 38 | If you want to restrict access so that your identities cannot view resources that were shared with your accounts by untrusted entities, consider implementing this additional control: 39 | 40 | * **Detective control example:** Consider using [ListRetirableGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListRetirableGrants.html) to monitor the grants created for your accounts (specifically, the [KeyId](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListRetirableGrants.html#API_ListRetirableGrants_ResponseSyntax) response parameter). If necessary, remediate with the responsive controls of your choice. 41 | 42 | 43 | 44 | 45 | 46 | **List of service APIs reviewed against data perimeter control objectives** 47 | 48 | * CreateAlias 49 | * CreateGrant 50 | * CreateKey 51 | * Decrypt 52 | * DeleteAlias 53 | * DeleteImportedKeyMaterial 54 | * DeriveSharedSecret 55 | * DescribeCustomKeyStores 56 | * DescribeKey 57 | * DisableKey 58 | * DisableKeyRotation 59 | * EnableKey 60 | * EnableKeyRotation 61 | * Encrypt 62 | * GenerateDataKey 63 | * GenerateDataKeyPair 64 | * GenerateDataKeyPairWithoutPlaintext 65 | * GenerateDataKeyWithoutPlaintext 66 | * GenerateMac 67 | * GetKeyPolicy 68 | * GetKeyRotationStatus 69 | * GetParametersForImport 70 | * GetPublicKey 71 | * ImportKeyMaterial 72 | * ListAliases 73 | * ListGrants 74 | * ListKeyPolicies 75 | * ListKeyRotations 76 | * ListKeys 77 | * ListResourceTags 78 | * ListRetirableGrants 79 | * PutKeyPolicy 80 | * ReEncrypt 81 | * ReplicateKey 82 | * RetireGrant 83 | * RotateKeyOnDemand 84 | * Sign 85 | * TagResource 86 | * UntagResource 87 | * UpdateAlias 88 | * UpdateKeyDescription 89 | * UpdatePrimaryRegion 90 | * Verify 91 | * VerifyMac -------------------------------------------------------------------------------- /service_specific_guidance/emr-serverless-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: Amazon EMR Serverless 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon EMR Serverless. 6 | 7 | Amazon EMR Serverless is a managed service that allows you to run big data analytics applications without the need to configure, manage, or scale clusters and servers. It provides a serverless runtime environment for Apache Spark and Apache Hive, enabling you to process data quickly and cost-effectively while automatically scaling resources based on workload demands. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | Y | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | Y | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | Y | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **Additional consideration 1** 27 | 28 | Perimeter type applicability: all. 29 | 30 | UpdateApplication allows you to associate applications with an Amazon VPC to run your code. 31 | 32 | If you want to achieve data perimeter control objectives, consider implementing these additional controls: 33 | 34 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help ensure that developers specify the [NetworkConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-emrserverless-application.html#cfn-emrserverless-application-networkconfiguration) property of the [AWS::EMRServerless::Application](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-emrserverless-application.html) resource. 35 | * **Detective control example 1:** Consider implementing a custom AWS Config rule to help detect EMR Serverless applications not associated with a VPC, or use [advanced queries](https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html) to get a one-time view of incorrectly configured resources. If necessary, remediate with the responsive controls of your choice. 36 | * **Detective control example 2:** Consider using CloudTrail management events to monitor the [UpdateApplication](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_UpdateApplication.html) API calls in your environment (specifically, the [networkConfiguration](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_UpdateApplication.html#emrserverless-UpdateApplication-request-networkConfiguration) request parameter). If necessary, remediate with the responsive controls of your choice. 37 | 38 | 39 | **Additional consideration 2** 40 | 41 | Perimeter type applicability: all. 42 | 43 | CreateApplication allows you to associate applications with an Amazon VPC to run your code. 44 | 45 | If you want to achieve data perimeter control objectives, consider implementing these additional controls: 46 | 47 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help ensure that developers specify the [NetworkConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emrserverless-application.html#cfn-emrserverless-application-networkconfiguration) property of the [AWS::EMRServerless::Application](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emrserverless-application.html) resource. 48 | * **Detective control example 1:** Consider implementing a custom AWS Config rule to help detect EMR Serverless applications not associated with a VPC, or use [advanced queries](https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html) to get a one-time view of incorrectly configured resources. If necessary, remediate with the responsive controls of your choice. 49 | * **Detective control example 2:** Consider using CloudTrail management events to monitor the [CreateApplication](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_CreateApplication.html) API calls in your environment (specifically, the [networkConfiguration](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_CreateApplication.html#emrserverless-CreateApplication-request-networkConfiguration) request parameter). If necessary, remediate with the responsive controls of your choice. 50 | 51 | 52 | 53 | 54 | 55 | **List of service APIs reviewed against data perimeter control objectives** 56 | 57 | * CancelJobRun 58 | * CreateApplication 59 | * DeleteApplication 60 | * GetApplication 61 | * GetJobRun 62 | * ListApplications 63 | * ListJobRunAttempts 64 | * ListJobRuns 65 | * ListTagsForResource 66 | * StartApplication 67 | * StartJobRun 68 | * StopApplication 69 | * TagResource 70 | * UntagResource 71 | * UpdateApplication 72 | -------------------------------------------------------------------------------- /service_specific_guidance/ssm-contacts-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: AWS Systems Manager Incident Manager Contacts 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for AWS Systems Manager Incident Manager Contacts. 5 | 6 | 7 | AWS Systems Manager Incident Manager Contacts is a feature within AWS Systems Manager that helps you manage and organize contact information for individuals and teams involved in incident response. It allows you to store, update, and quickly access contact details, enabling efficient communication and escalation during incidents or emergencies. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | **Additional consideration 1** 30 | 31 | Perimeter type applicability: resource perimeter applied on identity. 32 | 33 | UpdateContactChannel allows you to specify contact channels, such as Email, Short Message Service (SMS), and Voice, as the value for the DeliveryAddress request parameter. Because the subsequent requests are not governed by IAM, they are not restricted with `aws:ResourceOrgID` implemented in an SCP. 34 | 35 | If you want to restrict access to trusted resources, consider implementing these additional controls: 36 | 37 | 38 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [ChannelAddress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ssmcontacts-contactchannel.html#cfn-ssmcontacts-contactchannel-channeladdress) property that does not belong to your organization for the [AWS::SSMContacts::ContactChannel](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ssmcontacts-contactchannel.html) resource. 39 | 40 | * **Detective control example:** Consider using CloudTrail management events to monitor the [UpdateContactChannel](https://docs.aws.amazon.com/incident-manager/latest/APIReference/API_SSMContacts_UpdateContactChannel.html) API calls in your environment (specifically, the DeliveryAddress request parameter). If necessary, remediate with the responsive controls of your choice. 41 | 42 | 43 | **Additional consideration 2** 44 | 45 | Perimeter type applicability: resource perimeter applied on identity. 46 | 47 | CreateContactChannel allows you to specify contact channels, such as Email, Short Message Service (SMS), and Voice, as the value for the DeliveryAddress request parameter. Because the subsequent requests are not governed by IAM, they are not restricted with `aws:ResourceOrgID` implemented in an SCP. 48 | 49 | If you want to restrict access to trusted resources, consider implementing these additional controls: 50 | 51 | 52 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [ChannelAddress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ssmcontacts-contactchannel.html#cfn-ssmcontacts-contactchannel-channeladdress) property that does not belong to your organization for the [AWS::SSMContacts::ContactChannel](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ssmcontacts-contactchannel.html) resource. 53 | 54 | * **Detective control example:** Consider using CloudTrail management events to monitor the [CreateContactChannel](https://docs.aws.amazon.com/incident-manager/latest/APIReference/API_SSMContacts_CreateContactChannel.html) API calls in your environment (specifically, the DeliveryAddress request parameter). If necessary, remediate with the responsive controls of your choice. 55 | 56 | 57 | 58 | 59 | 60 | **List of service APIs reviewed against data perimeter control objectives** 61 | * AcceptPage 62 | * CreateContact 63 | * CreateContactChannel 64 | * CreateRotation 65 | * CreateRotationOverride 66 | * DeactivateContactChannel 67 | * DeleteContact 68 | * DeleteContactChannel 69 | * DeleteRotation 70 | * DeleteRotationOverride 71 | * DescribeEngagement 72 | * DescribePage 73 | * GetContact 74 | * GetContactChannel 75 | * GetContactPolicy 76 | * GetRotation 77 | * GetRotationOverride 78 | * ListContactChannels 79 | * ListContacts 80 | * ListEngagements 81 | * ListPageReceipts 82 | * ListPageResolutions 83 | * ListPagesByContact 84 | * ListPagesByEngagement 85 | * ListPreviewRotationShifts 86 | * ListRotationOverrides 87 | * ListRotationShifts 88 | * ListRotations 89 | * ListTagsForResource 90 | * PutContactPolicy 91 | * SendActivationCode 92 | * StartEngagement 93 | * StopEngagement 94 | * TagResource 95 | * UntagResource 96 | * UpdateContact 97 | * UpdateContactChannel 98 | * UpdateRotation 99 | -------------------------------------------------------------------------------- /service_specific_guidance/docdb-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: Amazon DocumentDB 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for Amazon DocumentDB. 5 | 6 | 7 | Amazon DocumentDB is a fully managed, MongoDB-compatible database service designed for scalability and high availability. It allows developers to store, query, and index JSON-like documents with ease, providing the performance, scalability, and availability needed for mission-critical workloads. DocumentDB automates time-consuming database management tasks such as hardware provisioning, patching, and backups, enabling users to focus on application development. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | Y | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | **Additional consideration 1** 26 | 27 | Perimeter type applicability: identity perimeter applied on resource; resource perimeter applied on identity. 28 | 29 | ModifyDBClusterSnapshotAttribute allows you to share a cluster snapshot with another account. 30 | 31 | See ["Sid":"PreventExternalResourceShare"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies#sidpreventexternalresourceshare) for a list of resources that can be granted cross-account access. 32 | 33 | If you want to restrict access so that only trusted identities can take actions against your resources, consider implementing these additional controls: 34 | 35 | * **Preventative control example:** Consider restricting [ModifyDBClusterSnapshotAttribute](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBClusterSnapshotAttribute.html) permissions to administrators only using an SCP. See [data_perimeter_governance_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/data_perimeter_governance_scp.json) for an example policy. 36 | * **Detective control example:** Consider using CloudTrail management events to monitor the [ModifyDBClusterSnapshotAttribute](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBClusterSnapshotAttribute.html) API calls in your environment (specifically, the [ValuesToAdd.AttributeValue.N](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBClusterSnapshotAttribute.html#API_ModifyDBClusterSnapshotAttribute_RequestParameters) request parameter). If necessary, remediate with the responsive controls of your choice. 37 | 38 | If you want to restrict access so that your identities cannot view resources that were shared with your accounts by untrusted entities, consider implementing this additional control: 39 | 40 | * **Detective control example:** Consider using [DescribeDBClusterSnapshots](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusterSnapshots.html) to monitor the snapshots shared with your accounts (specifically, the [DBClusterSnapshots.DBClusterSnapshot.N](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusterSnapshots.html#API_DescribeDBClusterSnapshots_ResponseElements) response parameter). If necessary, remediate with the responsive controls of your choice. 41 | 42 | 43 | 44 | **List of service APIs reviewed against data perimeter control objectives** 45 | * AddSourceIdentifierToSubscription 46 | * AddTagsToResource 47 | * CopyDBClusterParameterGroup 48 | * CopyDBClusterSnapshot 49 | * CreateDBCluster 50 | * CreateDBClusterParameterGroup 51 | * CreateDBClusterSnapshot 52 | * CreateDBInstance 53 | * CreateDBSubnetGroup 54 | * CreateEventSubscription 55 | * CreateGlobalCluster 56 | * DeleteDBCluster 57 | * DeleteDBClusterParameterGroup 58 | * DeleteDBClusterSnapshot 59 | * DeleteDBInstance 60 | * DeleteDBSubnetGroup 61 | * DeleteEventSubscription 62 | * DeleteGlobalCluster 63 | * DescribeCertificates 64 | * DescribeDBClusterParameterGroups 65 | * DescribeDBClusterParameters 66 | * DescribeDBClusters 67 | * DescribeDBClusterSnapshotAttributes 68 | * DescribeDBClusterSnapshots 69 | * DescribeDBEngineVersions 70 | * DescribeDBInstances 71 | * DescribeDBSubnetGroups 72 | * DescribeEngineDefaultClusterParameters 73 | * DescribeEventCategories 74 | * DescribeEvents 75 | * DescribeEventSubscriptions 76 | * DescribeGlobalClusters 77 | * DescribeOrderableDBInstanceOptions 78 | * DescribePendingMaintenanceActions 79 | * FailoverGlobalCluster 80 | * ListTagsForResource 81 | * ModifyDBCluster 82 | * ModifyDBClusterParameterGroup 83 | * ModifyDBClusterSnapshotAttribute 84 | * ModifyDBInstance 85 | * ModifyDBSubnetGroup 86 | * ModifyEventSubscription 87 | * ModifyGlobalCluster 88 | * RemoveSourceIdentifierFromSubscription 89 | * RemoveTagsFromResource 90 | * ResetDBClusterParameterGroup 91 | * RestoreDBClusterFromSnapshot 92 | * RestoreDBClusterToPointInTime 93 | * SwitchoverGlobalCluster 94 | -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventDeploymentSSMAutomationRunbook", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "ssm:StartAutomationExecution" 9 | ], 10 | "Resource": "*", 11 | "Condition": { 12 | "StringNotEqualsIfExists": { 13 | "aws:PrincipalTag/dp:exclude": "true" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "PreventDeploymentCodeStarConnections", 19 | "Effect": "Deny", 20 | "Action": [ 21 | "codestar-connections:*" 22 | ], 23 | "Resource": "*", 24 | "Condition": { 25 | "StringNotEqualsIfExists": { 26 | "aws:PrincipalTag/dp:exclude": "true" 27 | } 28 | } 29 | }, 30 | { 31 | "Sid": "PreventNonVPCDeploymentSageMaker", 32 | "Effect": "Deny", 33 | "Action": [ 34 | "sagemaker:CreateAutoMLJob", 35 | "sagemaker:CreateAutoMLJobV2", 36 | "sagemaker:CreateCluster", 37 | "sagemaker:CreateDataQualityJobDefinition", 38 | "sagemaker:CreateDomain", 39 | "sagemaker:CreateHyperParameterTuningJob", 40 | "sagemaker:CreateModel", 41 | "sagemaker:CreateModelBiasJobDefinition", 42 | "sagemaker:CreateModelExplainabilityJobDefinition", 43 | "sagemaker:CreateModelQualityJobDefinition", 44 | "sagemaker:CreateMonitoringSchedule", 45 | "sagemaker:CreateNotebookInstance", 46 | "sagemaker:CreateProcessingJob", 47 | "sagemaker:CreateTrainingJob", 48 | "sagemaker:UpdateDomain", 49 | "sagemaker:UpdateMonitoringSchedule" 50 | ], 51 | "Resource": "*", 52 | "Condition": { 53 | "StringNotEqualsIfExists": { 54 | "aws:PrincipalTag/dp:exclude": "true" 55 | }, 56 | "Null": { 57 | "sagemaker:VpcSubnets": "true" 58 | } 59 | } 60 | }, 61 | { 62 | "Sid": "PreventNonVpcOnlySageMakerDomain", 63 | "Effect": "Deny", 64 | "Action": [ 65 | "sagemaker:CreateDomain", 66 | "sagemaker:UpdateDomain" 67 | ], 68 | "Resource": "*", 69 | "Condition": { 70 | "StringNotEqualsIfExists": { 71 | "aws:PrincipalTag/dp:exclude": "true", 72 | "sagemaker:AppNetworkAccessType": "VpcOnly" 73 | } 74 | } 75 | }, 76 | { 77 | "Sid": "PreventDirectInternetAccessSageMakerNotebook", 78 | "Effect": "Deny", 79 | "Action": [ 80 | "sagemaker:CreateNotebookInstance" 81 | ], 82 | "Resource": "*", 83 | "Condition": { 84 | "StringEquals": { 85 | "sagemaker:DirectInternetAccess": "Enabled" 86 | }, 87 | "StringNotEqualsIfExists": { 88 | "aws:PrincipalTag/dp:exclude": "true" 89 | } 90 | } 91 | }, 92 | { 93 | "Sid": "PreventNonVPCDeploymentLambda", 94 | "Effect": "Deny", 95 | "Action": [ 96 | "lambda:CreateFunction", 97 | "lambda:UpdateFunctionConfiguration" 98 | ], 99 | "Resource": "*", 100 | "Condition": { 101 | "StringNotEqualsIfExists": { 102 | "aws:PrincipalTag/dp:exclude": "true" 103 | }, 104 | "Null": { 105 | "lambda:VpcIds": "true" 106 | } 107 | } 108 | }, 109 | { 110 | "Sid": "PreventNonVPCDeploymentGlueJob", 111 | "Effect": "Deny", 112 | "Action": [ 113 | "glue:CreateJob", 114 | "glue:UpdateJob" 115 | ], 116 | "Resource": "*", 117 | "Condition": { 118 | "StringNotEqualsIfExists": { 119 | "aws:PrincipalTag/dp:exclude": "true" 120 | }, 121 | "Null": { 122 | "glue:VpcIds": "true" 123 | } 124 | } 125 | }, 126 | { 127 | "Sid": "PreventNonVPCDeploymentCloudShell", 128 | "Action": [ 129 | "cloudshell:CreateEnvironment" 130 | ], 131 | "Effect": "Deny", 132 | "Resource": "*", 133 | "Condition": { 134 | "StringNotEqualsIfExists": { 135 | "aws:PrincipalTag/dp:exclude": "true" 136 | }, 137 | "Null": { 138 | "cloudshell:VpcIds": "true" 139 | } 140 | } 141 | }, 142 | { 143 | "Sid": "PreventNonVPCDeploymentAppRunner", 144 | "Effect": "Deny", 145 | "Action": [ 146 | "apprunner:CreateService", 147 | "apprunner:UpdateService" 148 | ], 149 | "Resource": "*", 150 | "Condition": { 151 | "StringNotEqualsIfExists": { 152 | "aws:PrincipalTag/dp:exclude": "true" 153 | }, 154 | "Null": { 155 | "apprunner:VpcConnectorArn": "true" 156 | } 157 | } 158 | }, 159 | { 160 | "Sid": "PreventNonVPCDeploymentCodeBuild", 161 | "Effect": "Deny", 162 | "Action": [ 163 | "codebuild:CreateProject", 164 | "codebuild:UpdateProject", 165 | "codebuild:CreateFleet", 166 | "codebuild:UpdateFleet" 167 | ], 168 | "Resource": "*", 169 | "Condition": { 170 | "StringNotEqualsIfExists": { 171 | "aws:PrincipalTag/dp:exclude": "true" 172 | }, 173 | "Null": { 174 | "codebuild:vpcConfig.vpcId": "true" 175 | } 176 | } 177 | } 178 | ] 179 | } 180 | -------------------------------------------------------------------------------- /service_control_policies/data_perimeter_governance_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventRAMExternalResourceShare", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "ram:CreateResourceShare", 9 | "ram:UpdateResourceShare" 10 | ], 11 | "Resource": "*", 12 | "Condition": { 13 | "StringNotEqualsIfExists": { 14 | "aws:PrincipalTag/dp:exclude:identity": "true" 15 | }, 16 | "Bool": { 17 | "ram:RequestedAllowsExternalPrincipals": "true" 18 | } 19 | } 20 | }, 21 | { 22 | "Sid": "PreventExternalResourceShare", 23 | "Effect": "Deny", 24 | "Action": [ 25 | "ec2:ModifyImageAttribute", 26 | "ec2:ModifyFPGAImageAttribute", 27 | "ec2:CreateNetworkInterfacePermission", 28 | "ec2:EnableAddressTransfer", 29 | "ec2:ModifySnapshotAttribute", 30 | "ec2:ModifyVpcEndpointServicePermissions", 31 | "ssm:ModifyDocumentPermission", 32 | "rds:ModifyDBSnapshotAttribute", 33 | "rds:ModifyDBClusterSnapshotAttribute", 34 | "redshift:AuthorizeDataShare", 35 | "redshift:AuthorizeSnapshotAccess", 36 | "redshift:AuthorizeEndpointAccess", 37 | "ds:ShareDirectory", 38 | "directconnect:CreateDirectConnectGatewayAssociationProposal", 39 | "detective:CreateMembers", 40 | "lakeformation:GrantPermissions", 41 | "lakeformation:BatchGrantPermissions", 42 | "appstream:UpdateImagePermissions", 43 | "macie2:CreateInvitations", 44 | "securityhub:CreateMembers", 45 | "securityhub:InviteMembers", 46 | "guardduty:CreateMembers", 47 | "guardduty:InviteMembers", 48 | "auditmanager:StartAssessmentFrameworkShare", 49 | "workspaces:UpdateWorkspaceImagePermission", 50 | "oam:CreateLink", 51 | "servicecatalog:CreatePortfolioShare", 52 | "servicecatalog:UpdatePortfolioShare", 53 | "config:PutConfigurationAggregator", 54 | "config:PutAggregationAuthorization", 55 | "fis:CreateTargetAccountConfiguration", 56 | "globalaccelerator:CreateCrossAccountAttachment", 57 | "cloud9:CreateEnvironmentMembership", 58 | "connect:BatchAssociateAnalyticsDataSet", 59 | "redshift-serverless:PutResourcePolicy" 60 | ], 61 | "Resource": "*", 62 | "Condition": { 63 | "StringNotEqualsIfExists": { 64 | "aws:PrincipalTag/dp:exclude:identity": "true" 65 | } 66 | } 67 | }, 68 | { 69 | "Sid": "RestrictKMSGrantsCreationToAWSServices", 70 | "Effect": "Deny", 71 | "Action": "kms:CreateGrant", 72 | "Resource": "*", 73 | "Condition": { 74 | "BoolIfExists": { 75 | "kms:GrantIsForAWSResource": "false", 76 | "aws:PrincipalIsAWSService": "false" 77 | }, 78 | "StringNotEqualsIfExists": { 79 | "aws:PrincipalTag/dp:exclude:identity": "true" 80 | } 81 | } 82 | }, 83 | { 84 | "Sid": "ProtectActionsNotSupportedByPrimaryDPControls", 85 | "Effect": "Deny", 86 | "Action": [ 87 | "ec2:CreateTransitGatewayPeeringAttachment", 88 | "ec2:AcceptTransitGatewayPeeringAttachment", 89 | "ec2:RejectTransitGatewayPeeringAttachment", 90 | "ec2:DeleteTransitGatewayPeeringAttachment", 91 | "ec2:CreateVpcPeeringConnection", 92 | "ec2:AcceptVpcPeeringConnection", 93 | "ec2:RejectVpcPeeringConnection", 94 | "ec2:DeleteVpcPeeringConnection", 95 | "ec2:CreateVpcEndpoint", 96 | "ec2:AcceptVpcEndpointConnections", 97 | "ec2:RejectVpcEndpointConnections", 98 | "ec2:CopySnapshot", 99 | "route53:CreateVPCAssociationAuthorization", 100 | "route53:AssociateVPCWithHostedZone", 101 | "route53:DisassociateVPCFromHostedZone", 102 | "route53:ListHostedZonesByVPC", 103 | "route53:DeleteVPCAssociationAuthorization", 104 | "macie2:AcceptInvitation", 105 | "securityhub:AcceptAdministratorInvitation", 106 | "guardduty:AcceptAdministratorInvitation", 107 | "auditmanager:UpdateAssessmentFrameworkShare", 108 | "es:AcceptInboundConnection", 109 | "ds:AcceptSharedDirectory" 110 | ], 111 | "Resource": "*", 112 | "Condition": { 113 | "StringNotEqualsIfExists": { 114 | "aws:PrincipalTag/dp:exclude:resource": "true" 115 | } 116 | } 117 | }, 118 | { 119 | "Sid": "PreventLambdaFunctionURLAuthNone", 120 | "Effect": "Deny", 121 | "Action": [ 122 | "lambda:AddPermission", 123 | "lambda:UpdateFunctionUrlConfig", 124 | "lambda:CreateFunctionUrlConfig" 125 | ], 126 | "Resource": "*", 127 | "Condition": { 128 | "StringNotEqualsIfExists": { 129 | "aws:PrincipalTag/dp:exclude:identity": "true" 130 | }, 131 | "StringEquals": { 132 | "lambda:FunctionUrlAuthType": "NONE" 133 | } 134 | } 135 | }, 136 | { 137 | "Sid": "ProtectDataPerimeterTags", 138 | "Effect": "Deny", 139 | "Action": "*", 140 | "Resource": "*", 141 | "Condition": { 142 | "StringNotEqualsIfExists": { 143 | "aws:PrincipalTag/team": "admin" 144 | }, 145 | "ForAnyValue:StringLike": { 146 | "aws:TagKeys": [ 147 | "dp:*", 148 | "team" 149 | ] 150 | } 151 | } 152 | } 153 | ] 154 | } -------------------------------------------------------------------------------- /service_specific_guidance/sesv2-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: Amazon Simple Email Service V2 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for Amazon Simple Email Service V2. 5 | 6 | 7 | Amazon Simple Email Service (SES) V2 is a cloud-based email sending service that enables you to send marketing, notification, and transactional emails. It provides a reliable, scalable, and cost-effective way for businesses and developers to send and receive emails using their own email addresses and domains. SES V2 offers advanced features like improved deliverability, detailed sending statistics, and enhanced security controls. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | > Amazon SES has two versions of APIs. See also the service-specific guidance for [the version 1 of the Amazon SES API](../ses/ses-specific-guidance.md). 25 | 26 | 27 | **Additional consideration 1** 28 | 29 | Perimeter type applicability: resource perimeter applied on identity. 30 | 31 | SendEmail allows you to send an email message. Because the subsequent requests are not governed by IAM, they are not restricted with `aws:ResourceOrgID` implemented in an SCP. 32 | 33 | If you want to restrict access to trusted resources, consider implementing this additional control: 34 | 35 | * **Preventative control example:** Consider implementing [ses:Recipients](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html#amazonsimpleemailservicev2-ses_Recipients) in an SCP to help prevent requests to untrusted resources. See [restrict_untrusted_endpoints_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json) for an example policy. 36 | 37 | 38 | **Additional consideration 2** 39 | 40 | Perimeter type applicability: resource perimeter applied on identity. 41 | 42 | SendCustomVerificationEmail allows you to send a verification email message using a template. Because the subsequent requests are not governed by IAM, they are not restricted with `aws:ResourceOrgID` implemented in an SCP. 43 | 44 | If you want to restrict access to trusted resources, consider implementing this additional control: 45 | 46 | * **Preventative control example:** Consider restricting [SendCustomVerificationEmail](https://docs.aws.amazon.com/ses/latest/APIReference/API_SendCustomVerificationEmail.html) permissions to administrators only using an SCP. See [restrict_untrusted_endpoints_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json) for an example policy. 47 | 48 | 49 | 50 | 51 | **List of service APIs reviewed against data perimeter control objectives** 52 | * CreateConfigurationSet 53 | * CreateConfigurationSetEventDestination 54 | * CreateContact 55 | * CreateContactList 56 | * CreateCustomVerificationEmailTemplate 57 | * CreateDedicatedIpPool 58 | * CreateEmailIdentity 59 | * CreateEmailIdentityPolicy 60 | * CreateEmailTemplate 61 | * CreateExportJob 62 | * CreateImportJob 63 | * DeleteConfigurationSet 64 | * DeleteConfigurationSetEventDestination 65 | * DeleteContact 66 | * DeleteContactList 67 | * DeleteCustomVerificationEmailTemplate 68 | * DeleteDedicatedIpPool 69 | * DeleteEmailIdentity 70 | * DeleteEmailIdentityPolicy 71 | * DeleteEmailTemplate 72 | * GetAccount 73 | * GetBlacklistReports 74 | * GetConfigurationSet 75 | * GetConfigurationSetEventDestinations 76 | * GetContact 77 | * GetContactList 78 | * GetCustomVerificationEmailTemplate 79 | * GetDedicatedIpPool 80 | * GetDedicatedIps 81 | * GetDeliverabilityDashboardOptions 82 | * GetEmailIdentity 83 | * GetEmailIdentityPolicies 84 | * GetEmailTemplate 85 | * GetExportJob 86 | * GetImportJob 87 | * ListConfigurationSets 88 | * ListContactLists 89 | * ListContacts 90 | * ListCustomVerificationEmailTemplates 91 | * ListDedicatedIpPools 92 | * ListDeliverabilityTestReports 93 | * ListEmailIdentities 94 | * ListEmailTemplates 95 | * ListExportJobs 96 | * ListImportJobs 97 | * ListRecommendations 98 | * ListSuppressedDestinations 99 | * ListTagsForResource 100 | * PutAccountDedicatedIpWarmupAttributes 101 | * PutAccountSendingAttributes 102 | * PutAccountSuppressionAttributes 103 | * PutAccountVdmAttributes 104 | * PutConfigurationSetDeliveryOptions 105 | * PutConfigurationSetReputationOptions 106 | * PutConfigurationSetSendingOptions 107 | * PutConfigurationSetSuppressionOptions 108 | * PutConfigurationSetTrackingOptions 109 | * PutConfigurationSetVdmOptions 110 | * PutDedicatedIpPoolScalingAttributes 111 | * PutDeliverabilityDashboardOption 112 | * PutEmailIdentityConfigurationSetAttributes 113 | * PutEmailIdentityDkimAttributes 114 | * PutEmailIdentityFeedbackAttributes 115 | * PutEmailIdentityMailFromAttributes 116 | * SendBulkEmail 117 | * SendEmail 118 | * TagResource 119 | * TestRenderEmailTemplate 120 | * UntagResource 121 | * UpdateConfigurationSetEventDestination 122 | * UpdateContact 123 | * UpdateContactList 124 | * UpdateCustomVerificationEmailTemplate 125 | * UpdateEmailIdentityPolicy 126 | * UpdateEmailTemplate 127 | -------------------------------------------------------------------------------- /service_specific_guidance/stepfunctions-specific-guidance.md: -------------------------------------------------------------------------------- 1 | # Service-specific guidance: AWS Step Functions 2 | 3 | 4 | This document outlines service-specific guidance for implementing a data perimeter for AWS Step Functions. 5 | 6 | 7 | AWS Step Functions is a serverless workflow orchestration service that allows you to coordinate multiple AWS services into streamlined workflows. It enables you to design and run workflows that stitch together services such as AWS Lambda, Amazon ECS, and Amazon SageMaker for applications that require complex sequences of steps. Step Functions provides a visual interface to design and monitor workflow execution, making it easier to build and manage distributed applications. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | **Additional consideration 1** 25 | 26 | Perimeter type applicability: resource perimeter applied on identity. 27 | 28 | CreateStateMachine allows you to specify an HTTPS endpoint as the ApiEndpoint value in the definition request parameter. Because the subsequent requests against the endpoints are not governed by IAM, they are not restricted with `aws:ResourceOrgID` implemented in an SCP. 29 | 30 | If you want to restrict access to trusted resources, consider implementing these additional controls: 31 | 32 | * **Preventative control example:** Consider implementing [states:HTTPEndpoint](https://docs.aws.amazon.com/step-functions/latest/dg/call-https-apis.html) in an SCP to help prevent requests to untrusted HTTPS endpoints. See [restrict_untrusted_endpoints_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json) for an example policy. 33 | * **Detective control example:** Consider using CloudTrail management events to monitor the [CreateStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_CreateStateMachine.html#API_CreateStateMachine_RequestSyntax) API calls in your environment. If necessary, remediate with the responsive controls of your choice. 34 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [Definition](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-stepfunctions-statemachine.html#cfn-stepfunctions-statemachine-definition) property with the ApiEndpoint that does not belong to your organization for the [AWS::StepFunctions::StateMachine](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-stepfunctions-statemachine.html) resource. 35 | 36 | 37 | **Additional consideration 2** 38 | 39 | Perimeter type applicability: resource perimeter applied on identity. 40 | 41 | UpdateStateMachine allows you to specify an HTTPS endpoint as the ApiEndpoint value in the definition request parameter. Because the subsequent requests against the endpoints are not governed by IAM, they are not restricted with `aws:ResourceOrgID` implemented in an SCP. 42 | 43 | If you want to restrict access to trusted resources, consider implementing these additional controls: 44 | 45 | * **Preventative control example:** Consider implementing [states:HTTPEndpoint](https://docs.aws.amazon.com/step-functions/latest/dg/call-https-apis.html) in an SCP to help prevent requests to untrusted HTTPS endpoints. See [restrict_untrusted_endpoints_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json) for an example policy. 46 | * **Detective control example:** Consider using CloudTrail management events to monitor the [UpdateStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_UpdateStateMachine.html) API calls in your environment. If necessary, remediate with the responsive controls of your choice. 47 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [Definition](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-stepfunctions-statemachine.html#cfn-stepfunctions-statemachine-definition) property with the ApiEndpoint that does not belong to your organization for the [AWS::StepFunctions::StateMachine](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-stepfunctions-statemachine.html) resource. 48 | 49 | 50 | **List of service APIs reviewed against data perimeter control objectives** 51 | * CreateActivity 52 | * CreateStateMachine 53 | * CreateStateMachineAlias 54 | * DeleteActivity 55 | * DeleteStateMachine 56 | * DeleteStateMachineAlias 57 | * DeleteStateMachineVersion 58 | * DescribeActivity 59 | * DescribeExecution 60 | * DescribeMapRun 61 | * DescribeStateMachine 62 | * DescribeStateMachineAlias 63 | * DescribeStateMachineForExecution 64 | * GetExecutionHistory 65 | * ListActivities 66 | * ListExecutions 67 | * ListMapRuns 68 | * ListStateMachineAliases 69 | * ListStateMachines 70 | * ListStateMachineVersions 71 | * ListTagsForResource 72 | * PublishStateMachineVersion 73 | * RedriveExecution 74 | * StartExecution 75 | * StartSyncExecution 76 | * StopExecution 77 | * TagResource 78 | * TestState 79 | * UntagResource 80 | * UpdateStateMachine 81 | * UpdateStateMachineAlias 82 | * ValidateStateMachineDefinition 83 | -------------------------------------------------------------------------------- /vpc_endpoint_policies/README.md: -------------------------------------------------------------------------------- 1 | # VPC endpoint policy examples 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Table of Contents 6 | 7 | * [Introduction](#introduction) 8 | * [Description](#description) 9 | * [Included data access patterns](#included-data-access-patterns) 10 | 11 | ## Introduction 12 | 13 | VPC endpoints allow you to apply identity and resource perimeter controls by using VPC endpoint policies. These controls mitigate the risk of unintended data disclosure via noncorporate credentials (for example, developers bringing their personal credentials into your network and uploading corporate data to their personal accounts), and prevent your principals from accessing data stores that are not approved by your company. 14 | 15 | ## Description 16 | 17 | This folder contains examples of VPC endpoint policies that enforce identity and resource perimeter controls while allowing select AWS services to operate on your behalf. These examples do not represent a complete list of valid data access patterns, and they are intended for you to tailor and extend them to suit the needs of your environment. Not all VPC endpoint policy examples contained in this folder include all data access patterns described in the following section. When crafting a VPC endpoint policy for a service that is not covered in this repository, you can start with the [default_endpoint_policy.json](default_endpoint_policy.json) and include relevant statements based on your requirements. 18 | 19 | For all AWS services where we have provided an example VPC endpoint policy such as SSM or EC2, we strongly recommend starting with those policies instead of the default VPC endpoint policy. There are already service-specific exceptions present within them to allow these services to access their required resources over a VPC endpoint. 20 | 21 | Note that VPC endpoint policies do not grant any permissions; instead, they establish a boundary that is the maximum access allowed through the endpoint. You still need to grant appropriate access by using identity-based or resource-based policies. 22 | 23 | The methodology you use to deploy these policies will depend on the deployment mechanisms you use to create and manage AWS accounts. For example, you might choose to use [AWS Control Tower](https://aws.amazon.com/controltower/) and the [Customizations for AWS Control Tower solution (CfCT)](https://docs.aws.amazon.com/controltower/latest/userguide/customize-landing-zone.html) to govern your AWS environment at scale. You can use CfCT or your custom CI/CD pipeline to deploy VPC endpoints and VPC endpoint policies that include your identity and resource perimeter controls. 24 | 25 | ## Included data access patterns 26 | 27 | The following policy statements are included in the VPC endpoint policy examples, each statement representing a specific data access pattern. 28 | 29 | ### "Sid":"AllowRequestsByOrgsIdentitiesToOrgsResources" 30 | 31 | This policy statement allows identities from your AWS Organizations organization to send requests through a VPC endpoint to resources that belong to your organization. 32 | 33 | ### "Sid":"AllowRequestsByAWSServicePrincipals" 34 | 35 | This policy statement allows [AWS service principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) to send requests to service-owned resources on your behalf through a VPC endpoint. The `aws:PrincipalIsAWSService` IAM condition key is used to denote this in the policy. Though AWS services rarely use their service principals to make calls from your VPCs, some services that operate within your network might need this statement to be present in the VPC endpoint policies to ensure normal operations. See the [service_owned_resources](../service_owned_resources.md) for a list of service-owned resources that can be accessed by AWS service principals. 36 | 37 | ### "Sid":"AllowRequestsToAWSOwnedResources" 38 | 39 | This policy statement allows access to specific service-owned resources through a VPC endpoint. You can list ARNs of service-owned resources in the `Resource` element of the statement. You can further restrict access by specifying allowed actions in the `Action` element of the statement. See the [service_owned_resources](../service_owned_resources.md) for a list of service-owned resources. 40 | 41 | ### "Sid":"AllowRequestsByOrgsIdentitiesToAWSResources" 42 | 43 | This policy statement allows identities from your Organizations organization to send requests through a VPC endpoint to service-owned resources. You can list ARNs of service-owned resources in the `Resource` element of the statement. You can further restrict access by specifying allowed actions in the `Action` element of the statement. See the [service_owned_resources](../service_owned_resources.md) for a list of service-owned resources that can be accessed by your IAM credentials. 44 | 45 | ### "Sid":"AllowRequestsByThirdPartyIdentitiesToThirdPartyResources" 46 | 47 | This policy statement allows trusted identities outside of your Organizations organization to send requests to trusted resources owned by an account that does not belong to your organization. List ARNs of resources in the `Resource` element of the statement. Further restrict access by specifying allowed actions in the `Action` element of the statement. An example valid use case is a third party integration that requires you to allow your applications to upload or download objects from a third party S3 bucket by using third party generated presigned Amazon S3 URLs. In this case, the principal that generates the presigned URL will belong to the third party AWS account. 48 | 49 | ### "Sid":"AllowRequestsByOrgsIdentitiesToThirdPartyResources" 50 | 51 | This policy statement allows identities from your Organizations organization to send requests to trusted resources owned by an account that does not belong to your organization. List ARNs of resources in the `Resource` element of the statement. Further restrict access by specifying allowed actions in the `Action` element of the statement. 52 | 53 | ### "Sid":"AllowRequestsByOrgsIdentitiesToAnyResources" 54 | 55 | This policy statement allows identities from your Organizations organization that are tagged with the `dp:exclude:resource` tag set to `true` to access any resource. Before adding this statement to your VPC endpoint policy, ensure that you have strong tagging governance in place and a valid data-access pattern that warrants its implementation that is not already covered by previously described statements. If you include this statement in your policy, ensure that you always have this access restricted to principals in your Organizations organization by using the `aws:PrincipalOrgID` condition key. This prevents access by identities outside your organization tagged with the same tag key and value. 56 | 57 | -------------------------------------------------------------------------------- /service_specific_guidance/apprunner-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS App Runner 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS App Runner. 6 | 7 | AWS App Runner is a fully managed service that makes it easy to deploy containerized web applications and APIs at scale. It automatically builds and deploys your code, handles load balancing, scaling, and provides a secure HTTPS endpoint, allowing developers to focus on their application code rather than infrastructure management. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | Y | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | Y | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | Y | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **Additional consideration 1** 27 | 28 | Perimeter type applicability: all. 29 | 30 | UpdateService allows you to enable VPC access for outgoing traffic with a custom VPC Connector. 31 | 32 | If you want to achieve data perimeter control objectives, consider implementing these additional controls: 33 | 34 | * **Preventative control example:** Consider implementing `apprunner:VpcConnectorArn` in an SCP to help restrict creation of resources to a customer managed VPC only. See [restrict_nonvpc_deployment_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json) for an example policy. 35 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help ensure that developers specify the [NetworkConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apprunner-service.html#cfn-apprunner-service-networkconfiguration) property of the [AWS::AppRunner::Service](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apprunner-service.html) resource. 36 | * **Detective control example 1:** Consider implementing the AWS Config rule, [apprunner-service-in-vpc](https://docs.aws.amazon.com/config/latest/developerguide/apprunner-service-in-vpc.html), to help detect misconfigurations or use [advanced queries](https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html) to get a one-time view of incorrectly configured resources. If necessary, remediate with the responsive controls of your choice. 37 | * **Detective control example 2:** Consider using CloudTrail management events to monitor the [UpdateService](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateService.html) API calls in your environment (specifically, the [NetworkConfiguration](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateService.html#apprunner-UpdateService-request-NetworkConfiguration) request parameter). If necessary, remediate with the responsive controls of your choice. 38 | 39 | 40 | **Additional consideration 2** 41 | 42 | Perimeter type applicability: all. 43 | 44 | CreateService allows you to enable VPC access for outgoing traffic with a custom VPC Connector. 45 | 46 | If you want to achieve data perimeter control objectives, consider implementing these additional controls: 47 | 48 | * **Preventative control example:** Consider implementing `apprunner:VpcConnectorArn` in an SCP to help restrict creation of resources to a customer managed VPC only. See [restrict_nonvpc_deployment_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json) for an example policy. 49 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help ensure that developers specify the [NetworkConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apprunner-service.html#cfn-apprunner-service-networkconfiguration) property of the [AWS::AppRunner::Service](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apprunner-service.html) resource. 50 | * **Detective control example 1:** Consider implementing the AWS Config rule, [apprunner-service-in-vpc](https://docs.aws.amazon.com/config/latest/developerguide/apprunner-service-in-vpc.html), to help detect misconfigurations or use [advanced queries](https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html) to get a one-time view of incorrectly configured resources. If necessary, remediate with the responsive controls of your choice. 51 | * **Detective control example 2:** Consider using CloudTrail management events to monitor the [CreateService](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html) API calls in your environment (specifically, the [NetworkConfiguration](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html#apprunner-CreateService-request-NetworkConfiguration) request parameter). If necessary, remediate with the responsive controls of your choice. 52 | 53 | 54 | 55 | 56 | 57 | **List of service APIs reviewed against data perimeter control objectives** 58 | 59 | * AssociateCustomDomain 60 | * CreateAutoScalingConfiguration 61 | * CreateConnection 62 | * CreateObservabilityConfiguration 63 | * CreateService 64 | * CreateVpcConnector 65 | * CreateVpcIngressConnection 66 | * DeleteAutoScalingConfiguration 67 | * DeleteConnection 68 | * DeleteObservabilityConfiguration 69 | * DeleteService 70 | * DeleteVpcConnector 71 | * DeleteVpcIngressConnection 72 | * DescribeAutoScalingConfiguration 73 | * DescribeCustomDomains 74 | * DescribeObservabilityConfiguration 75 | * DescribeService 76 | * DescribeVpcConnector 77 | * DescribeVpcIngressConnection 78 | * DisassociateCustomDomain 79 | * ListAutoScalingConfigurations 80 | * ListConnections 81 | * ListObservabilityConfigurations 82 | * ListOperations 83 | * ListServices 84 | * ListServicesForAutoScalingConfiguration 85 | * ListTagsForResource 86 | * ListVpcConnectors 87 | * ListVpcIngressConnections 88 | * PauseService 89 | * ResumeService 90 | * StartDeployment 91 | * TagResource 92 | * UntagResource 93 | * UpdateDefaultAutoScalingConfiguration 94 | * UpdateService 95 | * UpdateVpcIngressConnection 96 | -------------------------------------------------------------------------------- /service_specific_guidance/codeartifact-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS CodeArtifact 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS CodeArtifact. 6 | 7 | AWS CodeArtifact is a fully managed artifact repository service that makes it easy for organizations to securely store, publish, and share software packages used in their software development process. It integrates with commonly used build tools and package managers, allowing developers to easily retrieve dependencies while maintaining control over package access and versioning. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | Y | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | Y | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **Additional consideration 1** 27 | 28 | Perimeter type applicability: identity and network perimeter applied on resource. 29 | 30 | PutRepositoryPermissionsPolicy allows you to apply a resource-based policy to grant access to a repository. The service currently doesn’t support RCPs. 31 | 32 | 33 | If you want to restrict access to trusted identities and expected networks, consider implementing these additional controls: 34 | 35 | * **Preventative control example**: Consider restricting [PutRepositoryPermissionsPolicy](https://docs.aws.amazon.com/codeartifact/latest/APIReference/API_PutRepositoryPermissionsPolicy.html) permissions to administrators only using an SCP. See [restrict_resource_policy_configurations_scp.json](../service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json) for an example policy. 36 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [PermissionsPolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-codeartifact-repository.html#cfn-codeartifact-repository-permissionspolicydocument) property for the [AWS::CodeArtifact::Repository](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-codeartifact-repository.html) resource that grants permissions to untrusted identities or unexpected networks. 37 | * **Detective control example:** Consider using CloudTrail management events to monitor the [PutRepositoryPermissionsPolicy](https://docs.aws.amazon.com/codeartifact/latest/APIReference/API_PutRepositoryPermissionsPolicy.html) API calls in your environment (specifically, the [policyDocument](https://docs.aws.amazon.com/codeartifact/latest/APIReference/API_PutRepositoryPermissionsPolicy.html#codeartifact-PutRepositoryPermissionsPolicy-request-policyDocument) request parameter). If necessary, remediate with the responsive controls of your choice. 38 | 39 | 40 | 41 | **Additional consideration 2** 42 | 43 | Perimeter type applicability: identity and network perimeter applied on resource. 44 | 45 | PutDomainPermissionsPolicy allows you to apply a resource-based policy to grant access to a domain. The service currently doesn’t support RCPs. 46 | 47 | 48 | If you want to restrict access to trusted identities and expected networks, consider implementing these additional controls: 49 | 50 | * **Preventative control example**: Consider restricting [PutDomainPermissionsPolicy](https://docs.aws.amazon.com/codeartifact/latest/APIReference/API_PutDomainPermissionsPolicy.html) permissions to administrators only using an SCP. See [restrict_resource_policy_configurations_scp.json](../service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json) for an example policy. 51 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [PermissionsPolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-codeartifact-domain.html#cfn-codeartifact-domain-permissionspolicydocument) property for the [AWS::CodeArtifact::Domain](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-codeartifact-domain.html) resource that grants permissions to untrusted identities or unexpected networks. 52 | * **Detective control example:** Consider using CloudTrail management events to monitor the [PutDomainPermissionsPolicy](https://docs.aws.amazon.com/codeartifact/latest/APIReference/API_PutDomainPermissionsPolicy.html) API calls in your environment (specifically, the [policyDocument](https://docs.aws.amazon.com/codeartifact/latest/APIReference/API_PutDomainPermissionsPolicy.html#codeartifact-PutDomainPermissionsPolicy-request-policyDocument) request parameter). If necessary, remediate with the responsive controls of your choice. 53 | 54 | 55 | **List of service APIs reviewed against data perimeter control objectives** 56 | 57 | * AssociateExternalConnection 58 | * CopyPackageVersions 59 | * CreateDomain 60 | * CreatePackageGroup 61 | * CreateRepository 62 | * DeleteDomain 63 | * DeleteDomainPermissionsPolicy 64 | * DeletePackage 65 | * DeletePackageGroup 66 | * DeletePackageVersions 67 | * DeleteRepository 68 | * DeleteRepositoryPermissionsPolicy 69 | * DescribeDomain 70 | * DescribePackage 71 | * DescribePackageGroup 72 | * DescribePackageVersion 73 | * DescribeRepository 74 | * DisassociateExternalConnection 75 | * DisposePackageVersions 76 | * GetAssociatedPackageGroup 77 | * GetAuthorizationToken 78 | * GetDomainPermissionsPolicy 79 | * GetPackageVersionAsset 80 | * GetRepositoryEndpoint 81 | * GetRepositoryPermissionsPolicy 82 | * ListAssociatedPackages 83 | * ListDomains 84 | * ListPackageGroups 85 | * ListPackageVersionAssets 86 | * ListPackageVersionDependencies 87 | * ListPackageVersions 88 | * ListPackages 89 | * ListRepositories 90 | * ListRepositoriesInDomain 91 | * ListSubPackageGroups 92 | * ListTagsForResource 93 | * PublishPackageVersion 94 | * PutDomainPermissionsPolicy 95 | * PutPackageOriginConfiguration 96 | * PutRepositoryPermissionsPolicy 97 | * TagResource 98 | * UntagResource 99 | * UpdatePackageGroup 100 | * UpdatePackageGroupOriginConfiguration 101 | * UpdatePackageVersionsStatus 102 | * UpdateRepository 103 | -------------------------------------------------------------------------------- /vpc_endpoint_policies/s3_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "s3:GetObject", 34 | "Resource": "*", 35 | "Condition": { 36 | "StringEquals": { 37 | "aws:ResourceAccount": "", 38 | "aws:PrincipalOrgID": "" 39 | } 40 | } 41 | }, 42 | { 43 | "Sid": "AllowRequestsToAWSOwnedResources", 44 | "Effect": "Allow", 45 | "Principal": "*", 46 | "Action": [ 47 | "s3:GetObject", 48 | "s3:ListBucket" 49 | ], 50 | "Resource": [ 51 | "arn:aws:s3:::packages..amazonaws.com/*", 52 | "arn:aws:s3:::repo..amazonaws.com/*", 53 | "arn:aws:s3:::amazonlinux..amazonaws.com/*", 54 | "arn:aws:s3:::amazonlinux-2-repos-/*", 55 | "arn:aws:s3:::al2023-repos--de612dc2/*", 56 | "arn:aws:s3:::al2023-/*", 57 | "arn:aws:s3:::repo..emr.amazonaws.com/*", 58 | "arn:aws:s3:::prod..appinfo.src/*", 59 | "arn:aws:s3:::aws-ssm-/*", 60 | "arn:aws:s3:::aws-windows-downloads-/*", 61 | "arn:aws:s3:::amazon-ssm-/*", 62 | "arn:aws:s3:::amazon-ssm-packages-/*", 63 | "arn:aws:s3:::-birdwatcher-prod/*", 64 | "arn:aws:s3:::aws-ssm-distributor-file-/*", 65 | "arn:aws:s3:::aws-ssm-document-attachments-/*", 66 | "arn:aws:s3:::patch-baseline-snapshot-/*", 67 | "arn:aws:s3:::aws-patchmanager-macos-/*", 68 | "arn:aws:s3:::amazoncloudwatch-agent-/*", 69 | "arn:aws:s3:::amazoncloudwatch-agent/*", 70 | "arn:aws:s3:::aws-codedeploy-/*", 71 | "arn:aws:s3:::ec2imagebuilder-toe--prod/*", 72 | "arn:aws:s3:::ec2imagebuilder-managed-resources--prod/components/*", 73 | "arn:aws:s3:::prod--starport-layer-bucket/*", 74 | "arn:aws:s3:::aws-mgn-clients-/*", 75 | "arn:aws:s3:::aws-mgn-clients-hashes-/*", 76 | "arn:aws:s3:::aws-mgn-internal-/*", 77 | "arn:aws:s3:::aws-mgn-internal-hashes-/*", 78 | "arn:aws:s3:::aws-application-migration-service-/*", 79 | "arn:aws:s3:::aws-application-migration-service-hashes-/*", 80 | "arn:aws:s3:::aws-drs-clients-/*", 81 | "arn:aws:s3:::aws-drs-clients-hashes-/*", 82 | "arn:aws:s3:::aws-drs-internal-/*", 83 | "arn:aws:s3:::aws-drs-internal-hashes-/*", 84 | "arn:aws:s3:::aws-elastic-disaster-recovery-/*", 85 | "arn:aws:s3:::aws-elastic-disaster-recovery-hashes-/*", 86 | "arn:aws:s3:::cloudformation-waitcondition-/*", 87 | "arn:aws:s3:::cloudformation-custom-resource-response-/*", 88 | "arn:aws:s3:::aws-ec2-enclave-certificate--prod/*", 89 | "arn:aws:s3:::assets--/*", 90 | "arn:aws:s3:::elasticbeanstalk-samples-/*", 91 | "arn:aws:s3:::elasticbeanstalk-platform-assets-/*", 92 | "arn:aws:s3:::elasticbeanstalk-env-resources-/*", 93 | "arn:aws:s3:::elasticbeanstalk-/*", 94 | "arn:aws:s3:::jumpstart-cache-prod-/*", 95 | "arn:aws:s3:::jumpstart-cache-prod-", 96 | "arn:aws:s3:::static--prod-static-/content/dependencies/*", 97 | "arn:aws:s3:::aws-neptune-notebook", 98 | "arn:aws:s3:::aws-neptune-notebook/*", 99 | "arn:aws:s3:::aws-neptune-notebook-", 100 | "arn:aws:s3:::aws-neptune-notebook-/*" 101 | ] 102 | }, 103 | { 104 | "Sid": "AllowRequestsByThirdPartyIdentitiesToThirdPartyResources", 105 | "Effect": "Allow", 106 | "Principal": "*", 107 | "Action": "", 108 | "Resource": "", 109 | "Condition": { 110 | "StringEquals": { 111 | "aws:PrincipalAccount": [ 112 | "", 113 | "" 114 | ], 115 | "aws:ResourceAccount": [ 116 | "", 117 | "" 118 | ] 119 | } 120 | } 121 | }, 122 | { 123 | "Sid": "AllowRequestsByOrgsIdentitiesToThirdPartyResources", 124 | "Effect": "Allow", 125 | "Principal": "*", 126 | "Action": "", 127 | "Resource": "", 128 | "Condition": { 129 | "StringEquals": { 130 | "aws:PrincipalOrgID": "", 131 | "aws:ResourceAccount": [ 132 | "", 133 | "" 134 | ] 135 | } 136 | } 137 | }, 138 | { 139 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 140 | "Effect": "Allow", 141 | "Principal": "*", 142 | "Action": "*", 143 | "Resource": "*", 144 | "Condition": { 145 | "StringEquals": { 146 | "aws:PrincipalOrgID": "", 147 | "aws:PrincipalTag/dp:exclude:resource": "true" 148 | } 149 | } 150 | } 151 | ] 152 | } 153 | -------------------------------------------------------------------------------- /service_specific_guidance/appsync-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: AWS AppSync 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for AWS AppSync. 6 | 7 | AWS AppSync is a fully managed service that enables developers to create scalable GraphQL APIs. It simplifies the process of building applications by allowing you to easily connect to various data sources, including AWS DynamoDB, Lambda, and HTTP APIs. AppSync handles real-time data synchronization and offline programming models, making it ideal for building responsive and collaborative applications across web and mobile platforms. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | **Additional consideration 1** 25 | 26 | Perimeter type applicability: resource perimeter applied on identity. 27 | 28 | UpdateDataSource allows you to specify a Lambda function that does not belong to your organization as the value for the lambdaConfig parameter. Because the subsequent call against the function is performed by the service principal, it is not restricted with `aws:ResourceOrgID` implemented in an SCP. 29 | 30 | If you want to restrict access to trusted resources, consider implementing these additional controls: 31 | 32 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [LambdaConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-datasource.html#cfn-appsync-datasource-lambdaconfig) property that does not belong to your organization for the [AWS::AppSync::DataSource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-datasource.html) resource. 33 | * **Detective control example:** Consider using CloudTrail management events to monitor the [UpdateDataSource](https://docs.aws.amazon.com/appsync/latest/APIReference/API_UpdateDataSource.html) API calls in your environment (specifically, the [lambdaConfig](https://docs.aws.amazon.com/appsync/latest/APIReference/API_UpdateDataSource.html#appsync-UpdateDataSource-request-lambdaConfig) request parameter). If necessary, remediate with the responsive controls of your choice. 34 | 35 | 36 | **Additional consideration 2** 37 | 38 | Perimeter type applicability: resource perimeter applied on identity. 39 | 40 | CreateDataSource allows you to specify a Lambda function that does not belong to your organization as the value for the lambdaConfig parameter. Because the subsequent call against the function is performed by the service principal, it is not restricted with `aws:ResourceOrgID` implemented in an SCP. 41 | 42 | If you want to restrict access to trusted resources, consider implementing these additional controls: 43 | 44 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [LambdaConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-datasource.html#cfn-appsync-datasource-lambdaconfig) property that does not belong to your organization for the [AWS::AppSync::DataSource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-datasource.html) resource. 45 | * **Detective control example:** Consider using CloudTrail management events to monitor the [CreateDataSource](https://docs.aws.amazon.com/appsync/latest/APIReference/API_CreateDataSource.html) API calls in your environment (specifically, the [lambdaConfig](https://docs.aws.amazon.com/appsync/latest/APIReference/API_CreateDataSource.html#appsync-CreateDataSource-request-lambdaConfig) request parameter). If necessary, remediate with the responsive controls of your choice. 46 | 47 | **Additional consideration 3** 48 | 49 | Perimeter type applicability: identity and resource perimeter applied on network. 50 | 51 | The service does not currently support VPC endpoint policies. 52 | 53 | If you want to restrict access to your networks to trusted identities and trusted resources, consider implementing these additional controls: 54 | 55 | * **Preventative control example 1**: Consider implementing `aws:ResourceOrgID` in an SCP to restrict service API calls so that your identities can only access trusted resources. See [resource_perimeter_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/resource_perimeter_scp.json) for an example policy. 56 | * **Preventative control example 2**: Consider using your existing security appliances such as outbound proxies to inspect service API calls in your environment for the identities making the calls and resources being accessed, and restrict the calls accordingly. This type of solution might have implications for security, scalability, latency, and reliability that you should evaluate carefully. 57 | 58 | 59 | 60 | **List of service APIs reviewed against data perimeter control objectives** 61 | 62 | * AssociateMergedGraphqlApi 63 | * AssociateSourceGraphqlApi 64 | * CreateApiCache 65 | * CreateApiKey 66 | * CreateDataSource 67 | * CreateFunction 68 | * CreateGraphqlApi 69 | * CreateResolver 70 | * CreateType 71 | * DeleteApiKey 72 | * DeleteDataSource 73 | * DeleteFunction 74 | * DeleteGraphqlApi 75 | * DeleteResolver 76 | * DeleteType 77 | * DisassociateMergedGraphqlApi 78 | * DisassociateSourceGraphqlApi 79 | * FlushApiCache 80 | * GetApiAssociation 81 | * GetApiCache 82 | * GetDataSource 83 | * GetDataSourceIntrospection 84 | * GetDomainName 85 | * GetFunction 86 | * GetGraphqlApi 87 | * GetGraphqlApiEnvironmentVariables 88 | * GetIntrospectionSchema 89 | * GetResolver 90 | * GetSchemaCreationStatus 91 | * GetSourceApiAssociation 92 | * GetType 93 | * ListApiKeys 94 | * ListDataSources 95 | * ListDomainNames 96 | * ListFunctions 97 | * ListGraphqlApis 98 | * ListResolvers 99 | * ListResolversByFunction 100 | * ListSourceApiAssociations 101 | * ListTagsForResource 102 | * ListTypes 103 | * ListTypesByAssociation 104 | * PutGraphqlApiEnvironmentVariables 105 | * StartDataSourceIntrospection 106 | * StartSchemaCreation 107 | * StartSchemaMerge 108 | * TagResource 109 | * UntagResource 110 | * UpdateApiCache 111 | * UpdateApiKey 112 | * UpdateDataSource 113 | * UpdateDomainName 114 | * UpdateFunction 115 | * UpdateGraphqlApi 116 | * UpdateResolver 117 | * UpdateSourceApiAssociation 118 | * UpdateType 119 | -------------------------------------------------------------------------------- /service_specific_guidance/dynamodb-specific-guidance.md: -------------------------------------------------------------------------------- 1 | 2 | # Service-specific guidance: Amazon DynamoDB 3 | 4 | 5 | This document outlines service-specific guidance for implementing a data perimeter for Amazon DynamoDB. 6 | 7 | Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. It allows you to store and retrieve any amount of data, and serve any level of request traffic. DynamoDB offers built-in security, backup and restore, and in-memory caching for internet-scale applications. 8 | 9 | 10 | The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any. 11 | 12 | | Perimeter type | Security objective | Applied on | Policy type | Additional considerations | 13 | |----------------|-------------------|------------|-------------|------------------------| 14 | | Identity perimeter | Only trusted identities can access my resources | Resource | RCP | Y | 15 | | Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N | 16 | | Resource perimeter | My identities can access only trusted resources | Identity | SCP | N | 17 | | Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N | 18 | | Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N | 19 | | Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | Y | 20 | 21 | *Y – Additional considerations apply. N – No additional considerations apply. 22 | 23 | 24 | 25 | 26 | **Additional consideration 1** 27 | 28 | Perimeter type applicability: identity and network perimeter applied on resource. 29 | 30 | PutResourcePolicy allows you to apply a resource-based policy to grant access to a table or stream. The service currently doesn’t support RCPs. 31 | 32 | If you want to restrict access to trusted identities and expected networks, consider implementing these additional controls: 33 | 34 | * **Preventative control example**: Consider restricting [PutResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutResourcePolicy.html) permissions to administrators only using an SCP. See [restrict_resource_policy_configurations_scp.json](../service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json) for an example policy. 35 | * **Proactive control example 1:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [ResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy) property for the [AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html) resource that grants permissions to untrusted identities or unexpected networks. 36 | * **Proactive control example 2:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [ResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-dynamodb-globaltable-replicaspecification.html#cfn-dynamodb-globaltable-replicaspecification-resourcepolicy) property for the [AWS::DynamoDB::GlobalTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-globaltable.html) resource that grants permissions to untrusted identities or unexpected networks. 37 | * **Detective control example 1:** Consider using [AWS Identity and Access Management Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) external access analyzers to help identify resource types that support resource-based policies in your accounts that are shared with untrusted identities. If necessary, remediate with the responsive controls of your choice. 38 | * **Detective control example 2:** Consider using CloudTrail management events to monitor the [PutResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutResourcePolicy.html) API calls in your environment (specifically, the [Policy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutResourcePolicy.html#DDB-PutResourcePolicy-request-Policy) request parameter). If necessary, remediate with the responsive controls of your choice. 39 | 40 | 41 | **Additional consideration 2** 42 | 43 | Perimeter type applicability: identity and network perimeter applied on resource. 44 | 45 | CreateTable allows you to apply a resource-based policy to grant access to a table. The service currently doesn’t support RCPs. 46 | 47 | If you want to restrict access to trusted identities and expected networks, consider implementing these additional controls: 48 | 49 | * **Proactive control example:** Consider implementing CloudFormation Hooks to help prevent developers from specifying the [ResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy) property for the [AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html) resource that grants permissions to untrusted identities or unexpected networks. 50 | * **Detective control example 1:** Consider using [AWS Identity and Access Management Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) external access analyzers to help identify resource types that support resource-based policies in your accounts that are shared with untrusted identities. If necessary, remediate with the responsive controls of your choice. 51 | * **Detective control example 2:** Consider using CloudTrail management events to monitor the [CreateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_CreateTable.html) API calls in your environment (specifically, the [ResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_CreateTable.html#DDB-CreateTable-request-ResourcePolicy) request parameter). 52 | 53 | 54 | **List of service APIs reviewed against data perimeter control objectives** 55 | 56 | * BatchExecuteStatement 57 | * BatchGetItem 58 | * BatchWriteItem 59 | * CreateBackup 60 | * CreateGlobalTable 61 | * CreateTable 62 | * DeleteBackup 63 | * DeleteItem 64 | * DeleteResourcePolicy 65 | * DeleteTable 66 | * DescribeBackup 67 | * DescribeContinuousBackups 68 | * DescribeContributorInsights 69 | * DescribeEndpoints 70 | * DescribeExport 71 | * DescribeGlobalTable 72 | * DescribeGlobalTableSettings 73 | * DescribeImport 74 | * DescribeKinesisStreamingDestination 75 | * DescribeLimits 76 | * DescribeTable 77 | * DescribeTableReplicaAutoScaling 78 | * DescribeTimeToLive 79 | * DisableKinesisStreamingDestination 80 | * EnableKinesisStreamingDestination 81 | * ExecuteStatement 82 | * ExecuteTransaction 83 | * ExportTableToPointInTime 84 | * GetItem 85 | * GetResourcePolicy 86 | * ImportTable 87 | * ListBackups 88 | * ListContributorInsights 89 | * ListExports 90 | * ListGlobalTables 91 | * ListImports 92 | * ListTables 93 | * ListTagsOfResource 94 | * PutItem 95 | * PutResourcePolicy 96 | * Query 97 | * RestoreTableFromBackup 98 | * RestoreTableToPointInTime 99 | * Scan 100 | * TagResource 101 | * TransactGetItems 102 | * TransactWriteItems 103 | * UntagResource 104 | * UpdateContinuousBackups 105 | * UpdateContributorInsights 106 | * UpdateGlobalTable 107 | * UpdateGlobalTableSettings 108 | * UpdateItem 109 | * UpdateTable 110 | * UpdateTableReplicaAutoScaling 111 | * UpdateTimeToLive 112 | 113 | 114 | --------------------------------------------------------------------------------