├── .github └── workflows │ ├── main.yml │ └── repo-sync.yml ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── LICENSE-SAMPLECODE ├── LICENSE-SUMMARY ├── README.md ├── resource_control_policies ├── README.md ├── data_perimeter_governance_rcp.json ├── identity_perimeter_rcp.json ├── network_perimeter_rcp.json └── resource_based_policies │ ├── README.md │ ├── api_gateway_policy.json │ ├── ecr_repository_policy.json │ └── sns_topic_policy.json ├── service_control_policies ├── README.md ├── data_perimeter_governance_scp.json ├── network_perimeter_scp.json ├── resource_perimeter_scp.json └── service_specific_controls │ ├── README.md │ ├── network_perimeter_ec2_scp.json │ ├── network_perimeter_iam_users_scp.json │ ├── network_perimeter_lambda_scp.json │ ├── restrict_idp_configurations_scp.json │ └── restrict_nonvpc_deployment_scp.json ├── service_owned_resources.md └── vpc_endpoint_policies ├── README.md ├── cloudformation_endpoint_policy.json ├── default_endpoint_policy.json ├── ec2_endpoint_policy.json ├── ecr.api_endpoint_policy.json ├── iam_endpoint_policy.json ├── imagebuilder_endpoint_policy.json ├── lambda_endpoint_policy.json ├── s3_endpoint_policy.json └── ssm_endpoint_policy.json /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Issue or PR notifier 2 | on: 3 | issues: 4 | types: [opened] 5 | pull_request: 6 | types: [opened] 7 | jobs: 8 | run: 9 | name: Notify IS team of github activity 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Draft with these release notes details 13 | uses: slackapi/slack-github-action@v2.0.0 14 | with: 15 | webhook: ${{ secrets.SLACK_WEBHOOK_URL }} 16 | webhook-type: webhook-trigger 17 | payload: | 18 | { 19 | "text": "A new \"${{ github.event_name }}\" has been opened on https://github.com/${{ github.repository }} . Please acknowledge the customer ASAP and :cowboy-ack: this request." 20 | } 21 | -------------------------------------------------------------------------------- /.github/workflows/repo-sync.yml: -------------------------------------------------------------------------------- 1 | name: Repo Sync 2 | 3 | on: 4 | workflow_dispatch: 5 | 6 | jobs: 7 | repo-sync: 8 | name: Repo Sync 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v3 12 | - uses: repo-sync/github-sync@v2 13 | name: Sync repo to branch 14 | with: 15 | source_repo: ${{ secrets.SOURCE_REPO }} 16 | source_branch: main 17 | destination_branch: ${{ secrets.INTERMEDIATE_BRANCH }} 18 | github_token: ${{ secrets.REPO_SYNC }} 19 | - uses: repo-sync/pull-request@v2 20 | name: Create pull request 21 | with: 22 | source_branch: ${{ secrets.INTERMEDIATE_BRANCH }} 23 | destination_branch: main 24 | github_token: ${{ secrets.REPO_SYNC }} 25 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE-SUMMARY) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Attribution-ShareAlike 4.0 International Public License 2 | 3 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 4 | 5 | Section 1 – Definitions. 6 | 7 | a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. 8 | 9 | b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. 10 | 11 | c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License. 12 | 13 | d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. 14 | 15 | e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. 16 | 17 | f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. 18 | 19 | g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike. 20 | 21 | h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License. 22 | 23 | i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. 24 | 25 | j. Licensor means the individual(s) or entity(ies) granting rights under this Public License. 26 | 27 | k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. 28 | 29 | l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. 30 | 31 | m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. 32 | 33 | Section 2 – Scope. 34 | 35 | a. License grant. 36 | 37 | 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 38 | 39 | A. reproduce and Share the Licensed Material, in whole or in part; and 40 | 41 | B. produce, reproduce, and Share Adapted Material. 42 | 43 | 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 44 | 45 | 3. Term. The term of this Public License is specified in Section 6(a). 46 | 47 | 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 48 | 49 | 5. Downstream recipients. 50 | 51 | A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. 52 | 53 | B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply. 54 | 55 | C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. 56 | 57 | 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 58 | 59 | b. Other rights. 60 | 61 | 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 62 | 63 | 2. Patent and trademark rights are not licensed under this Public License. 64 | 65 | 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. 66 | 67 | Section 3 – License Conditions. 68 | 69 | Your exercise of the Licensed Rights is expressly made subject to the following conditions. 70 | 71 | a. Attribution. 72 | 73 | 1. If You Share the Licensed Material (including in modified form), You must: 74 | 75 | A. retain the following if it is supplied by the Licensor with the Licensed Material: 76 | 77 | i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); 78 | 79 | ii. a copyright notice; 80 | 81 | iii. a notice that refers to this Public License; 82 | 83 | iv. a notice that refers to the disclaimer of warranties; 84 | 85 | v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; 86 | 87 | B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and 88 | 89 | C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. 90 | 91 | 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 92 | 93 | 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 94 | 95 | b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply. 96 | 97 | 1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License. 98 | 99 | 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material. 100 | 101 | 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply. 102 | 103 | Section 4 – Sui Generis Database Rights. 104 | 105 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: 106 | 107 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; 108 | 109 | b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and 110 | 111 | c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. 112 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. 113 | 114 | Section 5 – Disclaimer of Warranties and Limitation of Liability. 115 | 116 | a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You. 117 | 118 | b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You. 119 | 120 | c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. 121 | 122 | Section 6 – Term and Termination. 123 | 124 | a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. 125 | 126 | b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: 127 | 128 | 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 129 | 130 | 2. upon express reinstatement by the Licensor. 131 | 132 | c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. 133 | 134 | d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. 135 | 136 | e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. 137 | 138 | Section 7 – Other Terms and Conditions. 139 | 140 | a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. 141 | 142 | b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. 143 | 144 | Section 8 – Interpretation. 145 | 146 | a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. 147 | 148 | b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. 149 | 150 | c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. 151 | 152 | d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. 153 | -------------------------------------------------------------------------------- /LICENSE-SAMPLECODE: -------------------------------------------------------------------------------- 1 | Copyright ${THIS_YEAR} Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this 4 | software and associated documentation files (the "Software"), to deal in the Software 5 | without restriction, including without limitation the rights to use, copy, modify, 6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 7 | permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | -------------------------------------------------------------------------------- /LICENSE-SUMMARY: -------------------------------------------------------------------------------- 1 | Copyright ${THIS_YEAR} Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file. 4 | 5 | The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file. 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Data Perimeter Policy Examples 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Table of Contents 6 | 7 | * [DISCLAIMER](#disclaimer) 8 | * [Introduction](#introduction) 9 | * [Getting started](#getting-started) 10 | * [Policy types](#policy-types) 11 | * [Tagging conventions](#tagging-conventions) 12 | * [Implementation](#implementation) 13 | * [License summary](#license-summary) 14 | 15 | ## DISCLAIMER 16 | 17 | The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. 18 | 19 | ## Introduction 20 | 21 | This repository contains example policies to help you implement a [data perimeter on AWS](https://aws.amazon.com/identity/data-perimeters-on-aws/). The policy examples in this repository cover some common patterns and are for reference purposes only. Tailor and extend these examples to suit the needs of your environment. 22 | 23 | ## Getting started 24 | 25 | A data perimeter is a set of preventive controls to help ensure that only your trusted identities are accessing trusted resources from expected networks. To get started with data perimeters on AWS, review the following resources: 26 | 27 | * [Data perimeters on AWS](https://aws.amazon.com/identity/data-perimeters-on-aws/) 28 | * [Blog Post Series: Establishing a Data Perimeter on AWS](https://aws.amazon.com/identity/data-perimeters-blog-post-series/) 29 | 30 | ## Policy types 31 | 32 | You implement data perimeters primarily by using three different policy types: [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html), [resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html), and [VPC endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html#vpc-endpoint-policies). This repo provides examples of these policy types. The following table illustrates the relationship between data perimeter objectives and policy types used to achieve them. 33 | 34 | |Data perimeter | Control objective| Policy type | Primary IAM capability | Policy examples | 35 | |--- |--- |--- |--- |--- | 36 | |Identity perimeter |Only trusted identities can access my resources |RCP |aws:PrincipalOrgID, aws:PrincipalIsAWSService, aws:SourceOrgID|[resource_control_policies](resource_control_policies)| 37 | |Identity perimeter | Only trusted identities are allowed from my network |VPC endpoint policy |aws:PrincipalOrgID, aws:PrincipalIsAWSService|[vpc_endpoint_policies](vpc_endpoint_policies)| 38 | |Resource perimeter |My identities can access only trusted resources |SCP |aws:ResourceOrgID|[service_control_policies](service_control_policies)| 39 | |Resource perimeter |Only trusted resources can be accessed from my network |VPC endpoint policy |aws:ResourceOrgID|[vpc_endpoint_policies](vpc_endpoint_policies)| 40 | |Network perimeter |My identities can access resources only from expected networks |SCP |aws:SourceIp, aws:SourceVpc/aws:SourceVpce, aws:ViaAWSService|[service_control_policies](service_control_policies)| 41 | |Network perimeter |My resources can only be accessed from expected networks |RCP |aws:SourceIp, aws:SourceVpc/aws:SourceVpce, aws:ViaAWSService, aws:PrincipalIsAWSService|[resource_control_policies](resource_control_policies)| 42 | 43 | 44 | Policy examples in this repository include various data access patterns you might need to account for when implementing a data perimeter on AWS. The README.md in the folder for each policy type contains information about the included access patterns. 45 | 46 | ## Tagging conventions 47 | 48 | Policy examples in this repository use the `aws:PrincipalTag/tag-key` and `aws:ResourceTag/tag-key` global condition keys to control the scope of data perimeter guardrails with the following tagging conventions. You should follow your existing tagging strategy or [AWS tagging best practices](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html) when implementing in your environment. 49 | 50 | 1. Tag [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) principals and resources in your accounts that you would like to target with network perimeter controls with the `dp:include:network` tag key and the value set to `true`. You may want to start enforcing network perimeter controls on IAM principals used by human users to access AWS services interactively in the AWS Management Console, or programmatically with the AWS CLI, AWS Tools for PowerShell, or API. 51 | 2. Tag IAM principals and resources in your accounts that should be excluded from the network perimeter with the `dp:exclude:network` tag key and the value set to `true`. This tag key can be used for human users and applications that should be able to use AWS services from outside of your expected network, or for resources that should not have the network perimeter applied. 52 | 3. Tag IAM principals and resources in your accounts that should be excluded from the identity perimeter with the `dp:exclude:identity` tag key and the value set to `true`. This tag key is designed for human users and applications that should be able to use AWS services without being restricted by identity perimeter controls. This tag can also be used on resources that should not have the identity perimeter applied, such as those with a business reason to be accessible by a large number of external identities (public resources). 53 | 4. Tag IAM principals in your accounts that should be excluded from the resource perimeter with the `dp:exclude:resource` tag key and the value set to `true`. This tag key is designed for human users and applications that should be able to access resources that do not belong to your organization. 54 | 5. Tag IAM principals in your accounts that should be excluded from the resource perimeter with the `dp:exclude:resource:` tag key and the value set to `true`. This tag key is designed for human users and applications that should be able to access service-specific resources that do not belong to your organization. 55 | 6. Tag IAM principals and resources in your accounts that should be excluded from all data perimeters with the `dp:exclude` tag key and the value set to `true`. This tag key is designed for human users, applications, and resources that should not be restricted by any perimeter control. 56 | 57 | Because the preceding tags are used for authorization, the [data_perimeter_governance_scp](service_control_policies/data_perimeter_governance_scp.json) and [data_perimeter_governance_rcp](resource_control_policies/data_perimeter_governance_rcp.json) policy examples include statements to protect these tags from unauthorized changes. In the `data_perimeter_governance_scp` example, only principals in your organization with the `team` tag and the value set to `admin` will be able to apply and modify these tags. `data_perimeter_governance_rcp` demonstrates how to protect session tags with an exception for tags that are set by your trusted SAML identity provider(s). You can modify the example policies based on the tagging strategy and governance adopted in your organization. 58 | 59 | 60 | Note that if you are using [AWS Control Tower](https://aws.amazon.com/controltower/) to centrally manage and govern your accounts, you might also need to exclude [AWSControlTowerExecution and other roles](https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html) that the service uses to manage accounts on your behalf. 61 | 62 | ## Implementation 63 | 64 | To effectively use the example policies in this repository, follow these steps: 65 | 66 | 1. Determine which policy and perimeter types to implement based on the control objectives they help achieve and your security requirements. 67 | 2. Replace the placeholder values in the example policies based on your definition of trusted identities, trusted resources, and expected networks: 68 | 69 | * Replace `` with your [AWS Organizations](https://aws.amazon.com/organizations/) organization ID. 70 | * Replace `` with the AWS Region to which you are deploying the policy. 71 | * Replace `` with your corporate public IP space. 72 | * Replace `` with a list of VPC IDs that constitute your network perimeter for a resource or an AWS Organizations entity to which you are applying a policy. 73 | * Replace `` with the ID of the AWS account that belongs to the Elastic Load Balancing services (based on the Region for your load balancer) if access logging is in use. See [Enable access logs for your Classic Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy) and [Access logs for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions) for a complete list of account IDs. 74 | * Replace `` with the ID of the AWS account that owns [Amazon Elastic Container Registry (Amazon ECR)](https://aws.amazon.com/ecr/) repositories that you require to be used in your environment. See ["Sid":"EnforceResourcePerimeterAWSResourcesECR"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies#sidenforceresourceperimeterawsresourcesecr) and ["Sid": "AllowRequestsByOrgsIdentitiesToAWSResources"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/vpc_endpoint_policies#sid-allowrequestsbyorgsidentitiestoawsresources) for more details. 75 | * Replace `` with the ID of the AWS account that owns [AWS Lambda](https://aws.amazon.com/lambda/) layers that you require to be used within your environment. See ["Sid":"EnforceResourcePerimeterAWSResourcesLambdaLayer"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies#sidenforceresourceperimeterawsresourceslambdalayer) for more details. 76 | * Replace the following values to support third party integrations where access to third party resources or by third party identities is required: 77 | * Replace `` and `` with account IDs of third parties. 78 | * Replace `` with specific actions required for third party integrations. 79 | * Replace `` with the Amazon Resource Name (ARN) of the resource owned by a third party. 80 | * If you do not have third party integrations that require access to your resources or networks: 81 | * Remove `` and `` from the `aws:PrincipalAccount` condition key in the resource control policy (RCP) examples. 82 | * Remove `"Sid": “AllowRequestsByOrgsIdentitiesToThirdPartyResources"` and `"Sid": "AllowRequestsByThirdPartyIdentitiesToThirdPartyResources"` statements from the VPC endpoint policy examples. 83 | * Remove the `"Sid":"EnforceResourcePerimeterThirdPartyResources"` statement from the `resource_perimeter_scp` SCP example. 84 | * Replace ``, ``, and `` with the names of your trusted OIDC providers and tenant. 85 | * Tag IAM identities and resources in your accounts in accordance with the tagging conventions for applying data perimeter controls (see the [Tagging conventions](#tagging-conventions) earlier in this document). 86 | 3. Deploy policies by using the AWS Management Console or AWS CLI. You can also automate the deployment by using your Infrastructure as Code and CI/CD solutions. 87 | * Implement SCPs and RCPs: 88 | * To use the AWS Management Console, [create](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html) and [attach](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) an SCP and RCP to an account or an organizational unit (OU). 89 | * To use the AWS CLI, [create](https://docs.aws.amazon.com/cli/latest/reference/organizations/create-policy.html) and [attach](https://docs.aws.amazon.com/cli/latest/reference/organizations/attach-policy.html) a policy to an account or an OU. 90 | * Implement resource-based policies (only for services not yet supported by RCPs): 91 | * See [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) for services that support resource-based policies and follow links in the **Resource-based policies** column, or see [AWS Documentation](https://docs.aws.amazon.com/) (select the applicable service) for instructions about how to apply a resource-based policy. 92 | * Implement VPC endpoint policies: 93 | * To use the AWS Management Console, [create](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) or [configure](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html) a VPC endpoint. 94 | * To use the AWS CLI, [create](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html) or [modify](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint.html) a VPC endpoint. 95 | 96 | 97 | ## License Summary 98 | 99 | The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file. 100 | 101 | The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file. 102 | -------------------------------------------------------------------------------- /resource_control_policies/README.md: -------------------------------------------------------------------------------- 1 | # Resource control policy (RCP) examples 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Table of Contents 6 | 7 | * [Introduction](#introduction) 8 | * [Description](#description) 9 | * [Included data access patterns](#included-data-access-patterns) 10 | 11 | ## Introduction 12 | 13 | Some AWS services support resource-based policies that you can use to grant principals (including principals outside of your organization) permissions to perform actions on the resources to which they are attached. While allowing developers to configure resource-based policies based on their application requirements, you can enforce the identity and network perimeters on resources across your entire organization using resource control policies (RCPs). This helps prevent unintended access caused by misconfigurations and restrict access to your resources to expected networks only so that controls in the intended network path are not bypassed. 14 | 15 | RCPs are a type of [AWS Organizations](https://aws.amazon.com/organizations/) organization policy that you can use to control the maximum available permissions for resources in your organization. RCPs help you enforce security invariants such as ensuring that your resources can only be accessed by identities in your organization and only from company-managed networks. 16 | 17 | ## Description 18 | 19 | This folder contains examples of RCPs that help enforce identity and network perimeter controls on [services supported by RCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-supported-services). This folder also includes policy examples you can implement as [resource-based policies](resource_based_policies) for select services that are not supported by RCPs. 20 | 21 | These examples do not represent a complete list of valid data access patterns, and they are intended for you to tailor and extend them to suit the needs of your environment. See [Tagging conventions](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main?tab=readme-ov-file#tagging-conventions) used in the policy examples to control the scope of data perimeter guardrails. You can also use the `NotResource` IAM policy element to exclude specific resources from the controls. 22 | 23 | Use the following RCP examples individually or in combination: 24 | * [identity_perimeter_rcp](identity_perimeter_rcp.json) – Enforces identity perimeter controls on resources within your Organizations organization. 25 | * [network_perimeter_rcp](network_perimeter_rcp.json) – Enforces network perimeter controls on resources within your Organizations organization. 26 | * [data_perimeter_governance_rcp](data_perimeter_governance_rcp.json) – Includes controls for protecting data perimeter controls’ dependencies, such as session tags used to control their scope. 27 | 28 | Note that the policy examples in this folder do not grant any permissions; they only restrict access by explicitly denying specific data access patterns. You still have to grant appropriate permissions with explicit `Allow` statements in identity-based or resource-based policies. 29 | 30 | ## Included data access patterns 31 | 32 | The following policy statements are included in the RCP and resource-based policy examples, each statement representing specific data access patterns. 33 | 34 | ### "Sid":"EnforceOrgIdentities" 35 | 36 | This policy statement is included in the [identity_perimeter_rcp](identity_perimeter_rcp.json) and limits access to trusted identities: 37 | 38 | * Identities within your AWS Organizations organization are specified by the organization ID (``) in the policy statement. 39 | * AWS services that use [service principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) to access resources on your behalf are denoted by `aws:PrincipalIsAWSService` in the policy statement. See `"Sid": "EnforceConfusedDeputyProtection"` that uses the `aws:SourceOrgID` condition key to further restrict AWS services’ actions so that they can only interact with your resources on your behalf. 40 | * Trusted identities outside of your Organizations organization are specified by the account IDs of third parties (`` and ``) in the policy statement. 41 | 42 | Example data access patterns: 43 | 44 | * *Elastic Load Balancing (ELB) access logging*. In some AWS Regions, [Classic Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy) and [Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy) use AWS account credentials that belong to an AWS service to publish logs to your Amazon S3 buckets. The `aws:PrincipalAccount` condition key in the resource control policy should contain the ELB account ID if access logging is enabled. 45 | * *Amazon FinSpace data encryption*. To encrypt data at rest, [Amazon FinSpace](https://aws.amazon.com/finspace/) uses AWS account credentials that belong to the service to access your [AWS Key Management Service (AWS KMS)](https://aws.amazon.com/kms/) customer managed key. The `aws:PrincipalAccount` condition key in the resource control policy should contain the [FinSpace environment infrastructure account](https://docs.aws.amazon.com/finspace/latest/userguide/data-sharing-lake-formation.html). You can find the ID of the infrastructure account that's dedicated to your FinSpace environment on the environment page of the FinSpace console. 46 | 47 | Note that the `aws:PrincipalOrgID` condition key is included in the request context only if the calling principal is a member of an organization. This is not the case with federated users; therefore, `sts:AssumeRoleWithSAML` and `sts:AssumeRoleWithWebIdentity` are not listed in the `Action` element of the policy statement `"Sid": "EnforceOrgIdentities"`. `sts:SetSourceIdentity` and `sts:TagSession` are also not included to prevent impact on `sts:AssumeRoleWithSAML` and `sts:AssumeRoleWithWebIdentity` that [set a source identity]( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-setup) or [pass session tags]( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_operations). We recommend using the `"Sid":"EnforceTrustedOIDCProviders"` and `"Sid":"EnforceTrustedOIDCTenants` statements to help prevent requests from untrusted OpenID Connect (OIDC) tenants. To help ensure that only your trusted identity providers can be used for SAML federation, limit your principals’ ability to make configuration changes to the IAM SAML identity providers (see`"Sid":"PreventIdPTrustModifications"` in the [restrict_idp_configurations_scp](../service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json)). 48 | 49 | Another STS action, `sts:GetCallerIdentity`, is not included in this statement because [no permissions are required to perform this operation](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html). 50 | 51 | ### "Sid":"EnforceTrustedOIDCProviders" 52 | 53 | This policy statement is included in the [identity_perimeter_rcp](identity_perimeter_rcp.json) and limits access to `sts:AssumeRoleWithWebIdentity` to only federated identities associated with a specific OIDC provider. 54 | 55 | If you only need to support single-tenant OIDC providers, this statement is sufficient for preventing untrusted federated identities because the issuer name in the `sub` claim is unique to your organization. 56 | 57 | If you need to support OIDC federation with providers that support multiple tenants (e.g. GitHub Actions, Salesforce), use `"Sid": "EnforceTrustedOIDCTenants"` statement in the [identity_perimeter_rcp](identity_perimeter_rcp.json) to limit access to only federated identities originating from your tenant of a trusted OIDC provider. 58 | 59 | ### "Sid":"EnforceTrustedOIDCTenants" 60 | 61 | This policy statement is included in the [identity_perimeter_rcp](identity_perimeter_rcp.json) and limits access to `sts:AssumeRoleWithWebIdentity` to only federated identities originating from your tenant of a trusted multi-tenant OIDC provider. 62 | 63 | If you need to support OIDC federation with multi-tenant providers (e.g. GitHub Actions, Salesforce), you can use [condition keys specific to each identity provider type](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif) in your policy to restrict access to your tenant only. Typically, the subject (`sub`) claim of the identity provider JSON Web Token (JWT) contains a value that is used to identify your tenant within a multi-tenant system. To understand the expected values of the `sub` claim, see the documentation of your provider. 64 | 65 | If you need to support multiple multi-tenant OIDC providers, you need to create this statement for each provider with the `Null` condition operator so that the correct value of your tenant within each provider is enforced on each `sts:AssumeRoleWithWebIdentity` request. 66 | 67 | If you only need to support single-tenant OIDC providers, you can remove this statement from the policy. In this case, `"Sid": "EnforceTrustedOIDCProviders"` statement in the [identity_perimeter_rcp](identity_perimeter_rcp.json) is sufficient for preventing untrusted federated identities because the issuer name in the `sub` claim is unique to your organization. 68 | 69 | 70 | ### "Sid":"EnforceConfusedDeputyProtection" 71 | 72 | This policy statement is included in the [identity_perimeter_rcp](identity_perimeter_rcp.json) and restricts access to your resources so that AWS services can only interact with them on your behalf: 73 | 74 | * AWS services that use service principals to access your resources on behalf of another resource that belongs to your organization, specified by the organization ID (``) in the policy statement. 75 | * AWS services that use service principals to access your resources on behalf of another resource that belongs to trusted third parties, specified by the account IDs of third parties (`` and ``) in the policy statement. 76 | 77 | This policy applies the [cross-service confused deputy protection]( https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention) only on service integrations that require the use of the `aws:SourceAccount`, `aws:SourceOrgPaths`, and `aws:SourceOrgID` condition keys. We use the `Null` condition operator with the `aws:SourceAccount` condition key so that the `"Sid": "EnforceConfusedDeputyProtection"` statement applies only to requests that require the use of the keys. If the `aws:SourceAccount` is present in the request context, the `Null` condition will evaluate to `true` and cause the `aws:SourceOrgID` to be enforced. We use `aws:SourceAccount` instead of `aws:SourceOrgID` in the `Null` condition operator so that the control still applies if the request originates from an account that doesn’t belong to an organization. When a service enables support for the `aws:SourceAccount`, `aws:SourceOrgPaths`, and `aws:SourceOrgID` condition keys, it will automatically be subject to this policy. 78 | 79 | Example data access patterns: 80 | 81 | * *CloudTrail log delivery.* [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) uses its service principal, cloudtrail.amazonaws.com, to publish events to an [Amazon S3 bucket that you specify](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). 82 | * *VPC Flow Logs log delivery.* [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) uses its service principal, delivery.logs.amazonaws.com, to [deliver network logs to an Amazon S3 bucket](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html) that you specify. 83 | * *AWS services using service roles.* Some services assume service roles that you create to perform actions on your behalf. Not all services support `aws:SourceOrgID` enforcement on their `sts:AssumeRole` calls; however, every service performs the `iam:PassRole` action to verify that the role is in the same account as the calling service. As a result, using `aws:SourceOrgID` for the `sts:AssumeRole` calls is not necessary. The `Null` condition operator with the `aws:SourceAccount` condition key accounts for these service integrations. 84 | * *AWS services using AWS KMS grants.* Some services that use AWS KMS grants to encrypt/decrypt your resources don’t support `aws:SourceOrgID` enforcement on their calls against your AWS KMS keys. However, AWS KMS grants used by services include the encryption context that restricts the use of the grant so that it is only on behalf of a resource it was originally created for. The `Null` condition operator with the `aws:SourceAccount` condition key accounts for these service integrations. 85 | * *Elastic Load Balancing (ELB) access logging*. In some AWS Regions, [Classic Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy) and [Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions) use their service principals to publish logs to your Amazon S3 buckets but don’t populate the `aws:SourceOrgID` condition key. The `Null` condition operator with the `aws:SourceAccount` condition key accounts for this service integration. The name of the log file stored in your S3 bucket always contains the account ID of the account with the configured load balancer. When you grant access to your bucket for logging, you can scope it down to the specific path in your bucket that contains the account ID. 86 | 87 | 88 | ### "Sid":"EnforceNetworkPerimeter" 89 | 90 | This policy statement is included in the [network_perimeter_rcp](network_perimeter_rcp.json) and limits access to expected networks for IAM principals tagged with the `dp:include:network` tag set to `true` and federated users. Expected networks are defined as follows: 91 | 92 | * Your organization’s on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (``) in the policy statement. 93 | * Your organization’s VPCs that are specified by VPC IDs (``) in the policy statement. 94 | * Networks of AWS services that use your credentials to access resources using [forward access sessions (FAS)]( https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) as denoted by `aws:ViaAWSService` in the policy statement. This access pattern applies when you access data via an AWS service, and that service takes subsequent actions on your behalf by using your IAM credentials. 95 | * Networks of AWS services that use [service principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) to access resources on your behalf are denoted by `aws:PrincipalIsAWSService` in the policy statement. Use the `"Sid": "EnforceConfusedDeputyProtection"` in the [identity_perimeter_rcp](identity_perimeter_rcp.json) to further restrict AWS service actions so that they can only interact with your resources when performing operations on behalf of accounts that you own. 96 | * Networks of AWS services that use [service roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) to access resources on your behalf as denoted by `arn:aws:iam::*:role/aws:ec2-infrastructure` in the policy statement. 97 | * Networks of trusted third parties are specified by their account IDs (`` and ``) in the policy statement. 98 | 99 | Example data access patterns: 100 | 101 | * *Amazon Athena query*. When an application running in your VPC [creates an Athena query](https://docs.aws.amazon.com/athena/latest/ug/getting-started.html), Athena uses the application’s credentials to make subsequent requests to Amazon S3 to read data from your bucket and return results. 102 | * *Elastic Beanstalk operations.* When a user [creates an application by using Elastic Beanstalk](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/applications.html), Elastic Beanstalk launches an environment and uses your user’s credentials to create and configure other AWS resources such as Amazon EC2 instances. 103 | * *Amazon S3 server-side encryption with AWS KMS (SSE-KMS)*. When a user uploads an object to an Amazon S3 bucket with the default [SSE-KMS encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) enabled, Amazon S3 makes a subsequent request to [AWS Key Management Service (AWS KMS)](https://aws.amazon.com/kms/) to generate a data key from your customer master key (CMK) to encrypt the object. The call to AWS KMS is signed by using the user’s credentials and comes from the service network. A similar pattern is observed when a user tries to download an encrypted object when Amazon S3 calls AWS KMS to decrypt the key that was used to encrypt the object. Other services such as AWS Secrets Manager use a similar integration with AWS KMS. 104 | * *Amazon EBS volume decryption*. When you mount an encrypted Amazon EBS volume to an Amazon EC2 instance, Amazon EC2 calls AWS KMS to decrypt the data key that was used to encrypt the volume. The call to AWS KMS is signed by an IAM role, `arn:aws:iam::*:role/aws:ec2-infrastructure`, which is created in your account by Amazon EC2, and comes from the service network. 105 | * *Elastic Load Balancing (ELB) access logging*. In some AWS Regions, [Classic Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy) and [Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions) use AWS account credentials that belong to an AWS service to publish logs to your Amazon S3 buckets. Because the call to Amazon S3 comes from the service network, the `aws:PrincipalAccount` condition key in the resource control policy should contain the ELB account ID if access logging is enabled. 106 | * *Amazon FinSpace data encryption*. To encrypt data at rest, [Amazon FinSpace](https://aws.amazon.com/finspace/) uses AWS account credentials that belong to the service to access your AWS KMS customer managed key. Because the call to AWS KMS comes from the service network, the `aws:PrincipalAccount` condition key in the resource control policy should contain the [FinSpace environment infrastructure account](https://docs.aws.amazon.com/finspace/latest/userguide/data-sharing-lake-formation.html). You can find the ID of the infrastructure account that's dedicated to your FinSpace environment on the environment page of the FinSpace console. 107 | 108 | This policy statement exempts identities that are tagged with `dp:exclude:network` set to `true` from the network perimeter guardrail. Note that it is not recommended to have this exception in the policy unless it is accompanied by `"Sid": "EnforceOrgIdentities"`. This helps ensure that an account outside of your Organizations organization cannot tag their identities with `dp:exclude:network` to circumvent your network perimeter controls. 109 | 110 | ### "Sid":"ProtectDataPerimeterSessionTags" 111 | 112 | This statement is included in the [data_perimeter_governance_rcp](data_perimeter_governance_rcp.json) and prevents your trusted third parties from passing session tags used for data perimeter authorization controls while assuming a role in your account (`sts:AssumeRole`). You can apply this statement when using SAML federation in your organization. -------------------------------------------------------------------------------- /resource_control_policies/data_perimeter_governance_rcp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "ProtectDataPerimeterSessionTags", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": [ 9 | "sts:TagSession" 10 | ], 11 | "Resource": "*", 12 | "Condition": { 13 | "Null": { 14 | "SAML:aud": "true" 15 | }, 16 | "StringNotEqualsIfExists": { 17 | "aws:PrincipalTag/team": "admin", 18 | "aws:PrincipalOrgID" : "" 19 | }, 20 | "ForAnyValue:StringLike": { 21 | "aws:TagKeys": [ 22 | "dp:*", 23 | "team" 24 | ] 25 | } 26 | } 27 | } 28 | ] 29 | } -------------------------------------------------------------------------------- /resource_control_policies/identity_perimeter_rcp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceOrgIdentities", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": [ 9 | "s3:*", 10 | "sqs:*", 11 | "kms:*", 12 | "secretsmanager:*", 13 | "sts:AssumeRole", 14 | "sts:DecodeAuthorizationMessage", 15 | "sts:GetAccessKeyInfo", 16 | "sts:GetFederationToken", 17 | "sts:GetServiceBearerToken", 18 | "sts:GetSessionToken", 19 | "sts:SetContext" 20 | ], 21 | "Resource": "*", 22 | "Condition": { 23 | "StringNotEqualsIfExists": { 24 | "aws:PrincipalOrgID": "", 25 | "aws:PrincipalAccount": [ 26 | "", 27 | "", 28 | "", 29 | "" 30 | ], 31 | "aws:ResourceTag/dp:exclude:identity": "true" 32 | }, 33 | "BoolIfExists": { 34 | "aws:PrincipalIsAWSService": "false" 35 | } 36 | } 37 | }, 38 | { 39 | "Sid": "EnforceTrustedOIDCTenants", 40 | "Effect": "Deny", 41 | "Principal": "*", 42 | "Action": "sts:AssumeRoleWithWebIdentity", 43 | "Resource": "*", 44 | "Condition": { 45 | "StringNotEqualsIfExists": { 46 | ":sub": "", 47 | "aws:ResourceTag/dp:exclude:identity": "true" 48 | }, 49 | "Null": { 50 | ":sub": "false" 51 | } 52 | } 53 | }, 54 | { 55 | "Sid": "EnforceTrustedOIDCProviders", 56 | "Effect": "Deny", 57 | "Principal": "*", 58 | "Action": "sts:AssumeRoleWithWebIdentity", 59 | "Resource": "*", 60 | "Condition": { 61 | "Null": { 62 | ":sub": "true", 63 | ":sub": "true" 64 | } 65 | } 66 | }, 67 | { 68 | "Sid": "EnforceConfusedDeputyProtection", 69 | "Effect": "Deny", 70 | "Principal": "*", 71 | "Action": [ 72 | "s3:*", 73 | "sqs:*", 74 | "kms:*", 75 | "secretsmanager:*", 76 | "sts:*" 77 | ], 78 | "Resource": "*", 79 | "Condition": { 80 | "StringNotEqualsIfExists": { 81 | "aws:SourceOrgID": "", 82 | "aws:SourceAccount": [ 83 | "", 84 | "" 85 | ], 86 | "aws:ResourceTag/dp:exclude:identity": "true" 87 | }, 88 | "Null": { 89 | "aws:SourceAccount": "false" 90 | }, 91 | "Bool": { 92 | "aws:PrincipalIsAWSService": "true" 93 | } 94 | } 95 | } 96 | ] 97 | } -------------------------------------------------------------------------------- /resource_control_policies/network_perimeter_rcp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceNetworkPerimeter", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": [ 9 | "s3:*", 10 | "sqs:*", 11 | "kms:*", 12 | "secretsmanager:*", 13 | "sts:AssumeRole", 14 | "sts:DecodeAuthorizationMessage", 15 | "sts:GetAccessKeyInfo", 16 | "sts:GetFederationToken", 17 | "sts:GetServiceBearerToken", 18 | "sts:GetSessionToken", 19 | "sts:SetContext" 20 | ], 21 | "Resource": "*", 22 | "Condition": { 23 | "NotIpAddressIfExists": { 24 | "aws:SourceIp": "" 25 | }, 26 | "StringNotEqualsIfExists": { 27 | "aws:SourceVpc": "", 28 | "aws:PrincipalTag/dp:exclude:network": "true", 29 | "aws:PrincipalAccount": [ 30 | "", 31 | "", 32 | "", 33 | "" 34 | ], 35 | "aws:ResourceTag/dp:exclude:network": "true" 36 | }, 37 | "BoolIfExists": { 38 | "aws:PrincipalIsAWSService": "false", 39 | "aws:ViaAWSService": "false" 40 | }, 41 | "ArnNotLikeIfExists": { 42 | "aws:PrincipalArn": [ 43 | "arn:aws:iam::*:role/aws:ec2-infrastructure" 44 | ] 45 | }, 46 | "StringEquals": { 47 | "aws:PrincipalTag/dp:include:network": "true" 48 | } 49 | } 50 | } 51 | ] 52 | } -------------------------------------------------------------------------------- /resource_control_policies/resource_based_policies/README.md: -------------------------------------------------------------------------------- 1 | # Resource-based policy examples 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Description 6 | 7 | This folder includes examples of resource-based policies that enforce identity and network perimeter controls for services that are currently not supported by resource control policies (RCPs). See the [resource_control_policies](../) for description of included data access patterns and policy statements used in the policies. 8 | 9 | Note that the policy examples in this folder do not grant any permissions; they only restrict access by explicitly denying specific data access patterns. You still have to grant appropriate permissions with explicit `Allow` statements in identity-based or resource-based policies. 10 | 11 | Because developers will be creating resources such as [Amazon ECR](https://aws.amazon.com/ecr/) repositories on a regular basis, you might need to implement automation to enforce identity and network perimeter controls when those resources are created or their policies are changed. One option is to use custom [AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html)_._ Alternatively, you can choose to enforce resource deployment through [AWS Service Catalog](https://aws.amazon.com/servicecatalog/?aws-service-catalog.sort-by=item.additionalFields.createdDate&aws-service-catalog.sort-order=desc) or a CI/CD pipeline. With the AWS Service Catalog approach, you can have identity and network perimeter controls built into the centrally controlled products that are made available to developers to deploy within their accounts. With the CI/CD pipeline approach, the pipeline can have built-in compliance checks that enforce identity and network perimeter controls during the deployment. If you are deploying resources with your CI/CD pipeline by using [AWS CloudFormation](https://aws.amazon.com/cloudformation/), see the blog post [Proactively keep resources secure and compliant with AWS CloudFormation Hooks](https://aws.amazon.com/blogs/mt/proactively-keep-resources-secure-and-compliant-with-aws-cloudformation-hooks/). -------------------------------------------------------------------------------- /resource_control_policies/resource_based_policies/api_gateway_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceIdentityPerimeter", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringNotEqualsIfExists": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:PrincipalAccount": [ 14 | "", 15 | "" 16 | ] 17 | }, 18 | "BoolIfExists": { 19 | "aws:PrincipalIsAWSService": "false" 20 | } 21 | } 22 | }, 23 | { 24 | "Sid": "EnforceConfusedDeputyProtection", 25 | "Effect": "Deny", 26 | "Principal": "*", 27 | "Action": "*", 28 | "Resource": "*", 29 | "Condition": { 30 | "StringNotEqualsIfExists": { 31 | "aws:SourceOrgID": "", 32 | "aws:SourceAccount": [ 33 | "", 34 | "" 35 | ] 36 | }, 37 | "Null": { 38 | "aws:SourceAccount": "false" 39 | }, 40 | "Bool": { 41 | "aws:PrincipalIsAWSService": "true" 42 | } 43 | } 44 | }, 45 | { 46 | "Sid": "EnforceNetworkPerimeter", 47 | "Effect": "Deny", 48 | "Principal": "*", 49 | "Action": "*", 50 | "Resource": "*", 51 | "Condition": { 52 | "NotIpAddressIfExists": { 53 | "aws:SourceIp": "" 54 | }, 55 | "StringNotEqualsIfExists": { 56 | "aws:SourceVpc": "", 57 | "aws:PrincipalTag/dp:exclude:network": "true", 58 | "aws:PrincipalAccount": [ 59 | "", 60 | "" 61 | ] 62 | }, 63 | "BoolIfExists": { 64 | "aws:PrincipalIsAWSService": "false", 65 | "aws:ViaAWSService": "false" 66 | }, 67 | "ArnNotLikeIfExists": { 68 | "aws:PrincipalArn": "arn:aws:iam:::role/aws-service-role/*" 69 | }, 70 | "StringEquals": { 71 | "aws:PrincipalTag/dp:include:network": "true" 72 | } 73 | } 74 | } 75 | ] 76 | } -------------------------------------------------------------------------------- /resource_control_policies/resource_based_policies/ecr_repository_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceOrgIdentities", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringNotEqualsIfExists": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:PrincipalAccount": [ 14 | "", 15 | "" 16 | ] 17 | }, 18 | "BoolIfExists": { 19 | "aws:PrincipalIsAWSService": "false" 20 | } 21 | } 22 | }, 23 | { 24 | "Sid": "EnforceConfusedDeputyProtection", 25 | "Effect": "Deny", 26 | "Principal": "*", 27 | "Action": "*", 28 | "Resource": "*", 29 | "Condition": { 30 | "StringNotEqualsIfExists": { 31 | "aws:SourceOrgID": "", 32 | "aws:SourceAccount": [ 33 | "", 34 | "" 35 | ] 36 | }, 37 | "Null": { 38 | "aws:SourceAccount": "false" 39 | }, 40 | "Bool": { 41 | "aws:PrincipalIsAWSService": "true" 42 | } 43 | } 44 | }, 45 | { 46 | "Sid": "EnforceNetworkPerimeter", 47 | "Effect": "Deny", 48 | "Principal": "*", 49 | "Action": "*", 50 | "Resource": "*", 51 | "Condition": { 52 | "NotIpAddressIfExists": { 53 | "aws:SourceIp": "" 54 | }, 55 | "StringNotEqualsIfExists": { 56 | "aws:SourceVpc": "", 57 | "aws:PrincipalTag/dp:exclude:network": "true", 58 | "aws:PrincipalAccount": [ 59 | "", 60 | "" 61 | ] 62 | }, 63 | "BoolIfExists": { 64 | "aws:PrincipalIsAWSService": "false", 65 | "aws:ViaAWSService": "false" 66 | }, 67 | "ArnNotLikeIfExists": { 68 | "aws:PrincipalArn": "arn:aws:iam:::role/aws-service-role/*" 69 | }, 70 | "StringEquals": { 71 | "aws:PrincipalTag/dp:include:network": "true" 72 | } 73 | } 74 | } 75 | ] 76 | } -------------------------------------------------------------------------------- /resource_control_policies/resource_based_policies/sns_topic_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceIdentityPerimeter", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": [ 9 | "sns:GetTopicAttributes", 10 | "sns:SetTopicAttributes", 11 | "sns:AddPermission", 12 | "sns:RemovePermission", 13 | "sns:DeleteTopic", 14 | "sns:Subscribe", 15 | "sns:ListSubscriptionsByTopic", 16 | "sns:Publish" 17 | ], 18 | "Resource": "*", 19 | "Condition": { 20 | "StringNotEqualsIfExists": { 21 | "aws:PrincipalOrgID": "", 22 | "aws:PrincipalAccount": [ 23 | "", 24 | "" 25 | ] 26 | }, 27 | "BoolIfExists": { 28 | "aws:PrincipalIsAWSService": "false" 29 | } 30 | } 31 | }, 32 | { 33 | "Sid": "EnforceNetworkPerimeter", 34 | "Effect": "Deny", 35 | "Principal": "*", 36 | "Action": [ 37 | "sns:GetTopicAttributes", 38 | "sns:SetTopicAttributes", 39 | "sns:AddPermission", 40 | "sns:RemovePermission", 41 | "sns:DeleteTopic", 42 | "sns:Subscribe", 43 | "sns:ListSubscriptionsByTopic", 44 | "sns:Publish" 45 | ], 46 | "Resource": "*", 47 | "Condition": { 48 | "NotIpAddressIfExists": { 49 | "aws:SourceIp": "" 50 | }, 51 | "StringNotEqualsIfExists": { 52 | "aws:SourceVpc": "", 53 | "aws:PrincipalTag/dp:exclude:network": "true", 54 | "aws:PrincipalAccount": [ 55 | "", 56 | "" 57 | ] 58 | }, 59 | "BoolIfExists": { 60 | "aws:PrincipalIsAWSService": "false", 61 | "aws:ViaAWSService": "false" 62 | }, 63 | "ArnNotLikeIfExists": { 64 | "aws:PrincipalArn": "arn:aws:iam:::role/aws-service-role/*" 65 | }, 66 | "StringEquals": { 67 | "aws:PrincipalTag/dp:include:network": "true" 68 | } 69 | } 70 | } 71 | ] 72 | } -------------------------------------------------------------------------------- /service_control_policies/README.md: -------------------------------------------------------------------------------- 1 | # Service control policy (SCP) examples 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Table of Contents 6 | 7 | * [Introduction](#introduction) 8 | * [Description](#description) 9 | * [Included data access patterns](#included-data-access-patterns) 10 | 11 | ## Introduction 12 | 13 | SCPs are a type of [AWS Organizations](https://aws.amazon.com/organizations/) organization policy that you can use to establish the maximum access that can be delegated by account administrators to principals within your organization. SCPs allow you to enforce security invariants such as ensuring that your identities can access only company-approved data stores and that your corporate credentials can be used only from company-managed networks. 14 | 15 | ## Description 16 | 17 | This folder contains examples of SCPs that enforce resource and network perimeter controls. These examples do not represent a complete list of valid data access patterns, and they are intended for you to tailor and extend them to suit the needs of your environment. 18 | 19 | Use the following example SCPs individually or in combination: 20 | 21 | * [resource_perimeter_scp](resource_perimeter_scp.json) – Enforces resource perimeter controls on all principals within your Organizations organization. 22 | * [network_perimeter_scp](network_perimeter_scp.json) – Enforces network perimeter controls on IAM principals tagged with the `dp:include:network` tag set to `true`. 23 | * [data_perimeter_governance_scp](data_perimeter_governance_scp.json) – Include statements to secure tags that are used for authorization controls. This SCP also include statements that should be included in your data perimeter to account for specific data access patterns that are not covered by primary data perimeter controls. 24 | 25 | Note that the SCP examples in this repository use a [deny list strategy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html), which means that you also need a FullAWSAccess policy or other policy attached to your AWS Organizations organization entities to allow actions. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies. 26 | 27 | For your network perimeter, this folder has examples of policies for enforcing controls on specific service roles and IAM principals tagged with the `dp:include:network` tag set to `true`. 28 | 29 | ## Included data access patterns 30 | 31 | The following policy statements are included in the SCP examples, each statement representing specific data access patterns. 32 | 33 | ### "Sid":"EnforceResourcePerimeterAWSResources" 34 | 35 | This policy statement is included in the [resource_perimeter_scp](resource_perimeter_scp.json) and limits access to trusted resources that include [service_owned_resources](../service_owned_resources.md): 36 | 37 | * Resources that belong to your Organizations organization specified by the organization ID (``) in the policy statement. 38 | * Resources owned by AWS services. To permit access to service-owned resources through the resource perimeter, two methods are used: 39 | * Relevant service actions are listed in the `NotAction` element of the policy. Actions on resources that allow cross-account access are further restricted in other statements of the policy (`"Sid":"EnforceResourcePerimeterAWSResourcesS3"`, `"Sid":"EnforceResourcePerimeterAWSResourcesSSM"`, `"Sid":"EnforceResourcePerimeterAWSResourcesEC2ImageBuilder"`, `"EnforceResourcePerimeterAWSResourcesECR"`, `"EnforceResourcePerimeterAWSResourcesLambdaLayer"`,`"EnforceResourcePerimeterAWSResourcesEC2PrefixList"`). 40 | * `ec2:Owner` condition key: 41 | * Key value set to `amazon` - Required for your users and applications to be able to perform operations against public images that are owned by [Amazon](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-runinstances-ami) or a [verified partner](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharing-amis.html#verified-ami-provider) (for example, copying or launching instances using these images). 42 | * Trusted resources that belong to an account outside of your Organizations organization. To permit access to a resource owned by an external account through the resource perimeter, relevant service actions have to be listed in the `NotAction` element of this statement (``). These actions are further restricted in the `"Sid":"EnforceResourcePerimeterThirdPartyResources"`. 43 | 44 | ### "Sid":"EnforceResourcePerimeterAWSResourcesS3" 45 | 46 | This policy statement is included in the [resource_perimeter_scp](resource_perimeter_scp.json) and limits access to trusted [Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/) resources: 47 | 48 | * Amazon S3 resources that belong to your Organizations organization as specified by the organization ID (``) in the policy statement. 49 | 50 | * Amazon S3 resources owned by AWS services that might be accessed by your identities and applications directly by using your [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) credentials. To account for this access pattern, the `s3:GetObject`, `s3:GetObjectVersion`, `s3:PutObject`, `s3:PutObjectAcl` and `s3:ListBucket` actions are first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. The `"Sid":"EnforceResourcePerimeterAWSResourcesS3"` then uses the `aws:ResourceAccount` and `aws:PrincipalTag` condition keys to restrict these actions to resources owned by the AWS service accounts or to IAM principals that have the `dp:exclude:resource:s3` tag set to `true`. See the [service_owned_resources](../service_owned_resources.md) for a list of Amazon S3 resources owned by AWS services. 51 | 52 | * Amazon S3 resources owned by AWS services that might be accessed by your identities and applications via AWS services using [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html). To account for this access pattern, the `s3:GetObject`, `s3:GetObjectVersion`, `s3:PutObject`, and `s3:PutObjectAcl` actions are first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. The `"Sid":"EnforceResourcePerimeterAWSResourcesS3"` then uses the aws:CalledVia condition key to restrict these actions to relevant AWS services only. See the [service_owned_resources](../service_owned_resources.md) for a list of Amazon S3 resources owned by AWS services. 53 | 54 | 55 | ### "Sid":"EnforceResourcePerimeterAWSResourcesSSM" 56 | 57 | This policy statement is included in the [resource_perimeter_scp](resource_perimeter_scp.json) and limits access to trusted [AWS Systems Manager](https://aws.amazon.com/systems-manager/) resources: 58 | 59 | * AWS Systems Manager resources that belong to your Organizations organization specified by the organization ID (``) in the policy statement. 60 | * AWS Systems Manager resources owned by AWS services that might be accessed by your identities and applications directly by using your IAM credentials. To account for this access pattern, `ssm:Get*`, `ssm:SendCommand`, `ssm:CreateAssociation`, `ssm:StartSession`, `ssm:StartChangeRequestExecution`, `ssm:StartAutomationExecution` are first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement.`"Sid":"EnforceResourcePerimeterAWSResourcesSSM"` then uses the `aws:PrincipalTag` condition key with the`dp:exclude:resource:ssm` tag set to `true` to restrict access to these actions to IAM principals tagged for access to resources that do not belong to your organization. See the [service_owned_resources](../service_owned_resources.md) for a list of AWS Systems Manager resources owned by AWS services. 61 | 62 | 63 | ### "Sid":"EnforceResourcePerimeterAWSResourcesEC2ImageBuilder" 64 | 65 | This policy statement is included in the [resource_perimeter_scp](resource_perimeter_scp.json) and limits access to trusted [EC2 Image Builder](https://aws.amazon.com/image-builder/) resources: 66 | 67 | * EC2 Image Builder resources that belong to your Organizations organization specified by the organization ID (``) in the policy statement. 68 | * EC2 Image Builder resources owned by AWS services that might be accessed by your identities and applications directly by using your IAM credentials. To account for this access pattern, the `imagebuilder:GetComponent`, `imagebuilder:GetImage` are first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesImageBuilder"` then uses the `aws:PrincipalTag` condition key with `dp:exclude:resource:imagebuilder` tag set to `true` to restrict access to these actions to IAM principals tagged for access to resources that do not belong to your organization. See the [service_owned_resources](../service_owned_resources.md) for a list of EC2 Image Builder resources owned by AWS services. 69 | 70 | ### "Sid":"EnforceResourcePerimeterAWSResourcesECR" 71 | 72 | This policy statement is included in the [resource_perimeter_scp](resource_perimeter_scp.json) and limits access to trusted [Amazon Elastic Container Registry (Amazon ECR)](https://aws.amazon.com/ecr/) resources: 73 | 74 | * Amazon ECR repositories that belong to your Organizations organization as specified by the organization ID (``) in the policy statement. 75 | * Amazon ECR repositories owned by AWS services that might be accessed by your identities and applications directly by using your IAM credentials. To account for this access pattern, the `ecr:GetDownloadUrlForLayer`and`ecr:BatchGetImage` are first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesECR"` then uses the `aws:ResourceAccount` condition key to restrict these actions to Amazon ECR repositories owned by the AWS service accounts. See the [service_owned_resources](../service_owned_resources.md) for a list of Amazon ECR repositories owned by AWS services. 76 | 77 | ### "Sid":"EnforceResourcePerimeterAWSResourcesLambdaLayer" 78 | 79 | This policy statement is included in [resource_perimeter_scp](resource_perimeter_scp.json) and limits access to trusted [Lambda](https://aws.amazon.com/lambda/) layers: 80 | 81 | * Lambda layers that belong to your AWS Organizations organization as specified by the organization ID (``) in the policy statement. 82 | * Lambda layers owned by AWS services that might be accessed by your identities and applications directly by using your IAM credentials. To account for this access pattern, the `lambda:GetLayerVersion` is first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesLambdaLayer"` then uses the `aws:ResourceAccount` condition key to restrict these actions to Lambda layers owned by the AWS service accounts. See the [service_owned_resources](../service_owned_resources.md) for a list of Lambda resources owned by AWS services. 83 | 84 | ### "Sid":"EnforceResourcePerimeterAWSResourcesEC2PrefixList" 85 | 86 | This policy statement is included in the [resource_perimeter_scp](resource_perimeter_scp.json) and limits access to trusted EC2 prefix lists: 87 | 88 | * EC2 managed prefix lists that belong to your Organizations organization specified by the organization ID (``) in the policy statement. 89 | * EC2 managed prefix lists owned by AWS services that might be accessed by your identities and applications directly by using your IAM credentials. To account for this access pattern, the `ec2:CreateTags`, `ec2:DeleteTags`, `ec2:GetManagedPrefixListEntries` are first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesEC2PrefixList"` then uses the `aws:PrincipalTag` condition key with `dp:exclude:resource:ec2` tag set to `true` to restrict access to these actions to IAM principals tagged for access to resources that do not belong to your organization. See the [service_owned_resources](../service_owned_resources.md) for a list of Amazon EC2 resources owned by AWS services. 90 | 91 | ### "Sid":"EnforceResourcePerimeterThirdPartyResources" 92 | 93 | This policy statement is included in the [resource_perimeter_scp](resource_perimeter_scp.json) and limits access to trusted resources that include third party resources: 94 | 95 | * Resources that belong to your Organizations organization and are specified by the organization ID (``) in the policy statement. 96 | * Trusted resources that belong to an account outside of your Organizations organization are specified by account IDs of third parties (`` and ``) in the policy statement. Further restrict access by specifying allowed actions in the Action element of the policy statement. These actions also have to be listed in the `NotAction` element of `"Sid":"EnforceResourcePerimeterAWSResources"`. 97 | 98 | ### "Sid":"EnforceNetworkPerimeter" 99 | 100 | This policy statement is included in the [network_perimeter_scp](network_perimeter_scp.json) and limits access to expected networks for IAM principals tagged with the `dp:include:network` tag set to `true`. Expected networks are defined as follows: 101 | 102 | * Your organization’s on-premises data centers and static egress points in AWS such as NAT gateways that are specified by IP ranges (``) in the policy statement. 103 | * Your organization’s VPCs specified by VPC IDs (``) in the policy statement. 104 | * Networks of AWS services that use [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to access resources on your behalf as denoted by `aws:ViaAWSService` in the policy statement. This access pattern applies when you access data via an AWS service and that service takes subsequent actions on your behalf by using your IAM identity credentials. 105 | * Networks of AWS services when AWS services interact with [KMS](https://aws.amazon.com/kms/) encrypted AMIs, volumes, or snapshots as denoted by the `aws:PrincipalArn` condition key with a value of `arn:aws:iam:::role/aws:ec2-infrastructure`. 106 | 107 | #### Services and actions that require an exception to the network perimeter. 108 | * Some AWS services have resources that are accessible from within your VPC through network interfaces or run inside your VPC, and use IAM for authentication. To account for this access pattern, you should list relevant actions in the `NotAction` element of this statement and use network security controls such as [security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html), [access control lists](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html), and firewalls such as [AWS Network Firewall](https://aws.amazon.com/network-firewall/) to control the networks and IP addresses that can access these resources. 109 | * `dax:GetItem`, `dax:BatchGetItem`, `dax:Query`, `dax:Scan`, `dax:PutItem`, `dax:UpdateItem`, `dax:DeleteItem`, `dax:BatchWriteItem`, and `dax:ConditionCheckItem` – Required for [Amazon DynamoDB Accelerator (DAX)](https://aws.amazon.com/dynamodb/dax/) operations. At runtime, the DAX client directs all of your application's DynamoDB API requests to the DAX cluster, which runs in your VPC. Even though these requests originate from your VPC, they do not traverse a VPC endpoint. 110 | * `neptune-db:*` – Required for [Amazon Neptune](https://aws.amazon.com/neptune/). Amazon Neptune databases are deployed in your VPC and are accessed over a network interface in the VPC. The `neptune-db` IAM namespace is only used to access the Neptune database in your VPCs with [IAM authentication](https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth-connecting.html) and is not used with AWS APIs. 111 | * `elasticfilesystem:ClientMount`,`elasticfilesystem:RootAccess`,`elasticfilesystem:ClientWrite` – Required to use [Amazon Elastic File System (EFS)](https://aws.amazon.com/efs/) with [IAM authorization](https://docs.aws.amazon.com/efs/latest/ug/mounting-IAM-option.html). These IAM actions are only used to access Amazon EFS file systems from within your VPC via a network interface. To save space in the policy example, these three IAM actions are written with a wildcard character as `elasticfilesystem:Client*`. 112 | * `rds-db:Connect` – Required to use [Amazon Relational Database Service (RDS)](https://aws.amazon.com/rds/) with [IAM authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html). Amazon RDS databases are deployed in your VPC and are accessed over a network interface in the VPC. The `rds-db` IAM namespace is only used for authentication to RDS databases. 113 | * `kafka-cluster:*` – Required to use [Amazon Managed Streaming for Apache Kafka (MSK)](https://aws.amazon.com/msk/) with [IAM access control](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html). The `kafka-cluster` IAM namespace is only used to access Amazon MSK clusters in your VPCs with IAM authentication. 114 | * `es:ESHttpGet`, `es:ESHttpPut`,`es:ESHttpDelete`,`es:ESHttpPost`,`es:ESHttpPatch`,`es:ESHttpHead` – Required to use [Amazon OpenSearch Service](https://aws.amazon.com/opensearch-service/) with [IAM authentication for OpenSearch Domains](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource). These IAM actions are only used to access OpenSearch domains. When an OpenSearch domain is deployed with "VPC Access" selected, requests to that OpenSearch domain traverse a network interface in your VPC and does not traverse a VPC endpoint. If you are using IAM authentication with an OpenSearch domain that is configured to be accessible in "public" mode over the Internet, you can use the `aws:SourceIp` condition key to help control from which networks the OpenSearch domain can be accessed. To save space in the policy example, these IAM actions are written with a wildcard character as `es:ES*`. 115 | 116 | 117 | #### Example data access patterns 118 | 119 | * *Athena query*. When an application running in your VPC [creates an Athena query](https://docs.aws.amazon.com/athena/latest/ug/getting-started.html), Athena uses the application’s credentials to make subsequent requests to Amazon S3 to read data from your bucket and return results using [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html). 120 | * *Elastic Beanstalk operations*. When a user [creates an application by using Elastic Beanstalk](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/applications.html), Elastic Beanstalk launches an environment and uses your IAM credentials to create and configure other AWS resources such as Amazon EC2 instances. 121 | * *Amazon S3 server-side encryption with AWS KMS (SSE-KMS)*. When you upload an object to an Amazon S3 bucket with the default [SSE-KMS encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) enabled, Amazon S3 makes a subsequent FAS request to AWS KMS in order to generate a data key from your CMK to encrypt the object. The call to AWS KMS is signed by using your credentials. A similar pattern is observed when a user tries to download an encrypted object when Amazon S3 calls AWS KMS to decrypt the key that was used to encrypt the object. Other services such as AWS Secrets Manager use a similar integration with AWS KMS. 122 | * *AWS Data Exchange publishing and subscribing* (described in `"Sid":"EnforceResourcePerimeterAWSResourcesS3"` earlier in this document). 123 | * *AWS Service Catalog operations* (described in `"Sid":"EnforceResourcePerimeterAWSResourcesS3"` earlier in this document). 124 | * *KMS Encrypted AMIs, Volumes, and Snapshots* When an EC2 instance attempts to interact with an AWS KMS encrypted AMI, volume, or snapshot, a KMS key grant is issued to the [instance's identity-only role](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption-requirements.html#ebs-encryption-instance-permissions). The identity-only role is a special IAM role, `arn:aws:iam:::role/aws:ec2-infrastructure`, that is used by the instance to interact with encrypted AMIs, volumes, or snapshots on your behalf. This role is used to make requests to AWS KMS from AWS networks. 125 | 126 | ### "Sid":"PreventRAMExternalResourceShare" 127 | 128 | This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and denies the creation of or updates to [AWS Resource Access Manager (AWS RAM)](https://aws.amazon.com/ram/) resource shares that allow sharing with external principals. 129 | 130 | [Some AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html#shareable-r53.) allow cross-account sharing via AWS RAM instead of resource-based policies. By default, AWS RAM shares allow sharing outside of an Organizations organization. You can explicitly [restrict sharing of resources outside of AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) and then limit AWS RAM actions based on this configuration. 131 | 132 | ### "Sid":"PreventExternalResourceShare" 133 | 134 | This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restricts resource sharing by capabilities that are embedded into services. 135 | 136 | Some AWS services use neither resource-based policies nor AWS RAM. 137 | 138 | Example data access patterns: 139 | 140 | * [Amazon EC2 AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharing-amis.html): You can share AMIs with other accounts or make them public with the `ModifyImageAttribute` and `ModifyFPGAImageAttribute` APIs. 141 | * [Amazon EC2 network interface](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInterfacePermission.html): You can share EC2 network interfaces with other accounts with the `CreateNetworkInterfacePermission` API. 142 | * [Amazon EC2 elastic IP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/transfer-EIPs-intro-ec2.html): You can transfer an Elastic IP address from one AWS account to another with the `EnableAddressTransfer` API. 143 | * [Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html): You can share Amazon EBS snapshots with other accounts, or you can make them public with the `ModifySnapshotAttribute` API. 144 | * [VPC endpoint connections](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html): You can grant permissions to another account to connect to your VPC endpoint service with the `ModifyVpcEndpointServicePermissions` API. 145 | * [Systems Manager documents (SSM documents)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html): You can share SSM documents with other accounts or make them public with the `ModifyDocumentPermission` API. 146 | * [Amazon RDS snapshots](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html): You can share RDS and RDS cluster snapshots with other accounts or make them public with the `ModifyDBSnapshotAttribute` and `ModifyDBClusterSnapshotAttribute` APIs. 147 | * [Amazon Redshift datashare](https://docs.aws.amazon.com/redshift/latest/dg/authorize-datashare-console.html): You can authorize the sharing of a datashare with other accounts with the `AuthorizeDataShare` API. You can also share a snapshot with other accounts with `AuthorizeSnapshotAccess` API. 148 | * [Amazon Redshift cluster](https://docs.aws.amazon.com/redshift/latest/APIReference/API_AuthorizeEndpointAccess.html): You can grant access to an Amazon Redshift cluster to other accounts with the `AuthorizeEndpointAccess` API. 149 | * [AWS Directory Service directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html): You can share a directory with other accounts with the `ShareDirectory` API. 150 | * [AWS Direct Connect gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/multi-account-associate-vgw.html): You can associate a Direct Connect gateway with a virtual private gateway that is owned by another AWS account with the `CreateDirectConnectGatewayAssociationProposal` API. 151 | * [Amazon Detective graph](https://docs.aws.amazon.com/detective/latest/userguide/accounts.html): A Detective administrator account can invite other accounts to join a behavior graph with the `CreateMembers` API. 152 | * [Amazon CloudWatch Logs subscription filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html): You can send CloudWatch Logs to cross-account destinations with the `PutSubscriptionFilter` API. 153 | * [AWS Glue Data Catalog](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-catalog-perms-TBAC.html) databases: You can grant data catalog permissions to another account by using the AWS Lake Formation tag-based access control method with the `GrantPermissions` and `BatchGrantPermissions` APIs. 154 | * [Amazon AppStream 2.0 image](https://docs.aws.amazon.com/appstream2/latest/developerguide/administer-images.html#share-image-with-another-account): You can share an Amazon AppStream 2.0 image that you own with other accounts with the `UpdateImagePermissions` API. 155 | * [Amazon Macie member accounts](https://docs.aws.amazon.com/macie/latest/user/accounts-mgmt-invitations-administer.html): You can add member accounts to your Macie administrator account with the `CreateInvitations` API. 156 | * [AWS Security Hub member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/account-management-manual.html): You can create and invite a member to your Security Hub administrator account with the `CreateMembers` and `InviteMembers` APIs. 157 | * [Amazon GuardDuty member accounts](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_invitations.html): You can create and invite a member to your GuardDuty administrator account with the `CreateMembers` and `InviteMembers` APIs. 158 | * [AWS Audit Manager assessment framework shares](https://docs.aws.amazon.com/audit-manager/latest/userguide/share-custom-framework.html): You can create a share request for a custom framework in Audit Manager with the `StartAssessmentFrameworkShare` API. 159 | * [Amazon DocumentDB cluster snapshots](https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore-share_cluster_snapshots.html ): You can share an Amazon Document DB manual cluster snapshot with other accounts or make them public with the `ModifyDBClusterSnapshotAttribute` API. 160 | * [Amazon WorkSpaces image](https://docs.aws.amazon.com/workspaces/latest/adminguide/share-custom-image.html): You can share custom WorkSpaces images with other accounts with the `UpdateWorkspaceImagePermission` API. 161 | * [Amazon CloudWatch sink](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html): You can share observability data with other accounts with the `CreateLink` API. 162 | * [AWS Service Catalog portfolio](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html): AWS Service Catalog portfolios can be shared with other AWS accounts with the `CreatePortfolioShare` API. 163 | * [AWS Config aggregator](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html): The `PutConfigurationAggregator` API allows you to select another account to add to your AWS Config aggregator. 164 | * [AWS Fault Injection experiment template](https://docs.aws.amazon.com/fis/latest/userguide/multi-account.html): You create a multi-account experiment template by specifying other accounts with the `CreateTargetAccountConfiguration` API. 165 | * [AWS Global Accelerator attachment](https://docs.aws.amazon.com/global-accelerator/latest/dg/cross-account-resources.create-attachment.html): You can add a resource from another account as an endpoint for an accelerator with the `CreateCrossAccountAttachment` API. 166 | * [AWS Cloud9 shared environment](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html): You can share AWS Cloud9 development environment with users from other accounts with the `CreateEnvironmentMembership` API. 167 | * [Amazon Connect dataset](https://docs.aws.amazon.com/connect/latest/APIReference/API_BatchAssociateAnalyticsDataSet.html#connect-BatchAssociateAnalyticsDataSet-request-DataSetIds): You can associate a list of Amazon Connect instance analytics datasets to a target account using `BatchAssociateAnalyticsDataSet` API. 168 | * [Amazon Redshift Serverless snapshot](https://docs.aws.amazon.com/redshift-serverless/latest/APIReference/API_PutResourcePolicy.html): You can share snapshots across AWS accounts using `PutResourcePolicy` API. 169 | 170 | ### "Sid":"ProtectActionsNotSupportedByPrimaryDPControls" 171 | 172 | This statement is included in [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restricts actions that are not supported by primary data perimeter controls, such as those listed in the[ResourceOrgID condition key page](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid). 173 | 174 | Example data access patterns: 175 | 176 | * [Transit gateway peering connections](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html): You can create and manage a TGW peering connection with another account with the `CreateTransitGatewayPeeringAttachment`, `AcceptTransitGatewayPeeringAttachment`, `RejectTransitGatewayPeeringAttachment`, and `DeleteTransitGatewayPeeringAttachment` APIs. 177 | * [VPC peering connections](https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html): You can create and manage a VPC peering connection with another account with the `CreateVpcPeeringConnection`, `AcceptVpcPeeringConnection`, `RejectVpcPeeringConnection`, and `DeleteVpcPeeringConnection` APIs. 178 | * [VPC endpoint connections](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html): You can create and manage an endpoint service connection with another account with the `CreateVpcEndpoint`, `AcceptVpcEndpointConnections`, and `RejectVpcEndpointConnections` APIs. 179 | * [Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html): You can copy a snapshot shared from a different account with the `CopySnapshot` API. 180 | * [Amazon Route 53 private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html): You can associate and manage a VPC with a private hosted zone in a different account with the `CreateVPCAssociationAuthorization`, `AssociateVPCWithHostedZone`, `DisassociateVPCFromHostedZone`, `ListHostedZonesByVPC`, and `DeleteVPCAssociationAuthorization` APIs. 181 | * [Amazon Macie member accounts](https://docs.aws.amazon.com/macie/latest/user/accounts-mgmt-invitations-administer.html): You can accept a Macie membership invitation that was received from a different account with the `AcceptInvitation` API. 182 | * [AWS Security Hub member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/account-management-manual.html): You can accept a Security Hub membership invitation that was received from a different account with the `AcceptAdministratorInvitation` API. 183 | * [Amazon GuardDuty member accounts](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_invitations.html): You can accept a GuardDuty membership invitation that was received from a different account with the `AcceptAdministratorInvitation`API. 184 | * [AWS Audit Manager assessment framework shares](https://docs.aws.amazon.com/audit-manager/latest/userguide/share-custom-framework.html): You can accept a share request for a custom framework from a different account with the `UpdateAssessmentFrameworkShare` API. 185 | * [Amazon OpenSearch cross-cluster search connections](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cross-cluster-search.html): You can accept a cross-cluster search connection request from a different account with the `AcceptInboundConnection` API. 186 | * [AWS Directory Service directory sharing](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html): You can accept a directory sharing request that was sent from a different account with the `AcceptSharedDirectory` API. 187 | 188 | You can also consider using service-specific condition keys such as `ec2:AccepterVpc` and `ec2:RequesterVpc` to restrict actions that are not supported by primary data perimeter controls (See [Work within a specific account](https://docs.aws.amazon.com/vpc/latest/peering/security-iam.html#vpc-peering-iam-account)). 189 | 190 | ### "Sid":"ProtectDataPerimeterTags" 191 | 192 | This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and prevents the attaching, detaching, and modifying of tags used for authorization controls within the data perimeter. 193 | 194 | ### "Sid":"PreventS3PublicAccessBlockConfigurations" 195 | 196 | This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and prevents users from altering S3 Block Public Access configurations. 197 | 198 | [S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. With S3 Block Public Access, account administrators and bucket owners can set up centralized controls to limit public access to their Amazon S3 resources that are enforced, regardless of how the resources are created. 199 | 200 | ### "Sid":"PreventPublicBucketACL" 201 | 202 | This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and prevents users from applying public read and public read-write canned access control lists to Amazon S3 buckets. 203 | 204 | ### "Sid":"PreventLambdaFunctionURLAuthNone" 205 | 206 | This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and denies the creation of Lambda functions that have `lambda:FunctionUrlAuthType` set to `NONE`. 207 | 208 | [Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html) is a feature that lets you add HTTPS endpoints to your Lambda functions. When configuring a function URL for a new or existing function, you can set the `AuthType` parameter to `NONE`, which means Lambda won’t check for any IAM SigV4 signatures before invoking the function. If a function’s resource-based policy explicitly allows for public access, the function is open to unauthenticated requests. -------------------------------------------------------------------------------- /service_control_policies/data_perimeter_governance_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventRAMExternalResourceShare", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "ram:CreateResourceShare", 9 | "ram:UpdateResourceShare" 10 | ], 11 | "Resource": "*", 12 | "Condition": { 13 | "StringNotEqualsIfExists": { 14 | "aws:PrincipalTag/dp:exclude:identity": "true" 15 | }, 16 | "Bool": { 17 | "ram:RequestedAllowsExternalPrincipals": "true" 18 | } 19 | } 20 | }, 21 | { 22 | "Sid": "PreventExternalResourceShare", 23 | "Effect": "Deny", 24 | "Action": [ 25 | "ec2:ModifyImageAttribute", 26 | "ec2:ModifyFPGAImageAttribute", 27 | "ec2:CreateNetworkInterfacePermission", 28 | "ec2:EnableAddressTransfer", 29 | "ec2:ModifySnapshotAttribute", 30 | "ec2:ModifyVpcEndpointServicePermissions", 31 | "ssm:ModifyDocumentPermission", 32 | "rds:ModifyDBSnapshotAttribute", 33 | "rds:ModifyDBClusterSnapshotAttribute", 34 | "redshift:AuthorizeDataShare", 35 | "redshift:AuthorizeSnapshotAccess", 36 | "redshift:AuthorizeEndpointAccess", 37 | "ds:ShareDirectory", 38 | "directconnect:CreateDirectConnectGatewayAssociationProposal", 39 | "detective:CreateMembers", 40 | "logs:PutSubscriptionFilter", 41 | "lakeformation:GrantPermissions", 42 | "lakeformation:BatchGrantPermissions", 43 | "appstream:UpdateImagePermissions", 44 | "macie2:CreateInvitations", 45 | "securityhub:CreateMembers", 46 | "securityhub:InviteMembers", 47 | "guardduty:CreateMembers", 48 | "guardduty:InviteMembers", 49 | "auditmanager:StartAssessmentFrameworkShare", 50 | "workspaces:UpdateWorkspaceImagePermission", 51 | "oam:CreateLink", 52 | "servicecatalog:CreatePortfolioShare", 53 | "config:PutConfigurationAggregator", 54 | "fis:CreateTargetAccountConfiguration", 55 | "globalaccelerator:CreateCrossAccountAttachment", 56 | "cloud9:CreateEnvironmentMembership", 57 | "connect:BatchAssociateAnalyticsDataSet", 58 | "redshift-serverless:PutResourcePolicy" 59 | ], 60 | "Resource": "*", 61 | "Condition": { 62 | "StringNotEqualsIfExists": { 63 | "aws:PrincipalTag/dp:exclude:identity": "true" 64 | } 65 | } 66 | }, 67 | { 68 | "Sid": "ProtectActionsNotSupportedByPrimaryDPControls", 69 | "Effect": "Deny", 70 | "Action": [ 71 | "ec2:CreateTransitGatewayPeeringAttachment", 72 | "ec2:AcceptTransitGatewayPeeringAttachment", 73 | "ec2:RejectTransitGatewayPeeringAttachment", 74 | "ec2:DeleteTransitGatewayPeeringAttachment", 75 | "ec2:CreateVpcPeeringConnection", 76 | "ec2:AcceptVpcPeeringConnection", 77 | "ec2:RejectVpcPeeringConnection", 78 | "ec2:DeleteVpcPeeringConnection", 79 | "ec2:CreateVpcEndpoint", 80 | "ec2:AcceptVpcEndpointConnections", 81 | "ec2:RejectVpcEndpointConnections", 82 | "ec2:CopySnapshot", 83 | "route53:CreateVPCAssociationAuthorization", 84 | "route53:AssociateVPCWithHostedZone", 85 | "route53:DisassociateVPCFromHostedZone", 86 | "route53:ListHostedZonesByVPC", 87 | "route53:DeleteVPCAssociationAuthorization", 88 | "macie2:AcceptInvitation", 89 | "securityhub:AcceptAdministratorInvitation", 90 | "guardduty:AcceptAdministratorInvitation", 91 | "auditmanager:UpdateAssessmentFrameworkShare", 92 | "es:AcceptInboundConnection", 93 | "ds:AcceptSharedDirectory" 94 | ], 95 | "Resource": "*", 96 | "Condition": { 97 | "StringNotEqualsIfExists": { 98 | "aws:PrincipalTag/dp:exclude:resource": "true" 99 | } 100 | } 101 | }, 102 | { 103 | "Sid": "PreventPublicBucketACL", 104 | "Effect": "Deny", 105 | "Action": [ 106 | "s3:PutBucketAcl", 107 | "s3:CreateBucket" 108 | ], 109 | "Resource": "*", 110 | "Condition": { 111 | "StringEquals": { 112 | "s3:x-amz-acl": [ 113 | "public-read", 114 | "public-read-write" 115 | ] 116 | }, 117 | "StringNotEqualsIfExists": { 118 | "aws:PrincipalTag/dp:exclude:identity": "true" 119 | } 120 | } 121 | }, 122 | { 123 | "Sid": "PreventS3PublicAccessBlockConfigurations", 124 | "Effect": "Deny", 125 | "Action": "s3:PutAccountPublicAccessBlock", 126 | "Resource": "*", 127 | "Condition": { 128 | "StringNotEqualsIfExists": { 129 | "aws:PrincipalTag/dp:exclude:identity": "true" 130 | } 131 | } 132 | }, 133 | { 134 | "Sid":"PreventLambdaFunctionURLAuthNone", 135 | "Effect":"Deny", 136 | "Action":[ 137 | "lambda:AddPermission", 138 | "lambda:UpdateFunctionUrlConfig", 139 | "lambda:CreateFunctionUrlConfig" 140 | ], 141 | "Resource":"*", 142 | "Condition":{ 143 | "StringNotEqualsIfExists":{ 144 | "aws:PrincipalTag/dp:exclude:identity": "true" 145 | }, 146 | "StringEquals": { 147 | "lambda:FunctionUrlAuthType" : "NONE" 148 | } 149 | } 150 | }, 151 | { 152 | "Sid": "ProtectDataPerimeterTags", 153 | "Effect": "Deny", 154 | "Action": "*", 155 | "Resource": "*", 156 | "Condition": { 157 | "StringNotEqualsIfExists": { 158 | "aws:PrincipalTag/team": "admin" 159 | }, 160 | "ForAnyValue:StringLike": { 161 | "aws:TagKeys": [ 162 | "dp:*", 163 | "team" 164 | ] 165 | } 166 | } 167 | } 168 | ] 169 | } 170 | -------------------------------------------------------------------------------- /service_control_policies/network_perimeter_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceNetworkPerimeter", 6 | "Effect": "Deny", 7 | "NotAction": [ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "neptune-db:*", 19 | "kafka-cluster:*", 20 | "elasticfilesystem:client*", 21 | "rds-db:connect" 22 | ], 23 | "Resource": "*", 24 | "Condition": { 25 | "BoolIfExists": { 26 | "aws:ViaAWSService": "false" 27 | }, 28 | "NotIpAddressIfExists": { 29 | "aws:SourceIp": [ 30 | "" 31 | ] 32 | }, 33 | "StringNotEqualsIfExists": { 34 | "aws:PrincipalTag/dp:exclude:network": "true", 35 | "aws:SourceVpc": [ 36 | "" 37 | ] 38 | }, 39 | "ArnNotLikeIfExists": { 40 | "aws:PrincipalArn": [ 41 | "arn:aws:iam::*:role/aws:ec2-infrastructure" 42 | ] 43 | }, 44 | "StringEquals": { 45 | "aws:PrincipalTag/dp:include:network": "true" 46 | } 47 | } 48 | } 49 | ] 50 | } -------------------------------------------------------------------------------- /service_control_policies/resource_perimeter_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid":"EnforceResourcePerimeterAWSResources", 6 | "Effect":"Deny", 7 | "NotAction":[ 8 | "iam:GetPolicy", 9 | "iam:GetPolicyVersion", 10 | "iam:ListEntitiesForPolicy", 11 | "iam:ListPolicyVersions", 12 | "iam:GenerateServiceLastAccessedDetails", 13 | "cloudformation:CreateChangeSet", 14 | "s3:GetObject", 15 | "s3:GetObjectVersion", 16 | "s3:PutObject", 17 | "s3:PutObjectAcl", 18 | "s3:ListBucket", 19 | "ssm:Describe*", 20 | "ssm:List*", 21 | "ssm:Get*", 22 | "ssm:SendCommand", 23 | "ssm:CreateAssociation", 24 | "ssm:StartSession", 25 | "ssm:StartChangeRequestExecution", 26 | "ssm:StartAutomationExecution", 27 | "imagebuilder:GetComponent", 28 | "imagebuilder:GetImage", 29 | "ecr:GetDownloadUrlForLayer", 30 | "ecr:BatchGetImage", 31 | "lambda:GetLayerVersion", 32 | "ec2:CreateTags", 33 | "ec2:DeleteTags", 34 | "ec2:GetManagedPrefixListEntries", 35 | "" 36 | 37 | ], 38 | "Resource":"*", 39 | "Condition":{ 40 | "StringNotEqualsIfExists":{ 41 | "aws:ResourceOrgID":"", 42 | "ec2:Owner":"amazon", 43 | "aws:PrincipalTag/dp:exclude:resource": "true" 44 | } 45 | } 46 | }, 47 | { 48 | "Sid":"EnforceResourcePerimeterAWSResourcesS3", 49 | "Effect":"Deny", 50 | "Action":[ 51 | "s3:GetObject", 52 | "s3:GetObjectVersion", 53 | "s3:PutObject", 54 | "s3:PutObjectAcl", 55 | "s3:ListBucket" 56 | ], 57 | "Resource":"*", 58 | "Condition":{ 59 | "StringNotEqualsIfExists":{ 60 | "aws:ResourceOrgID":"", 61 | "aws:ResourceAccount": "", 62 | "aws:PrincipalTag/dp:exclude:resource": "true", 63 | "aws:PrincipalTag/dp:exclude:resource:s3": "true" 64 | }, 65 | "ForAllValues:StringNotEquals":{ 66 | "aws:CalledVia":[ 67 | "dataexchange.amazonaws.com", 68 | "servicecatalog.amazonaws.com" 69 | ] 70 | } 71 | } 72 | }, 73 | { 74 | "Sid": "EnforceResourcePerimeterAWSResourcesSSM", 75 | "Effect": "Deny", 76 | "Action": [ 77 | "ssm:SendCommand", 78 | "ssm:CreateAssociation", 79 | "ssm:StartSession", 80 | "ssm:Get*", 81 | "ssm:StartChangeRequestExecution", 82 | "ssm:StartAutomationExecution" 83 | ], 84 | "Resource": "*", 85 | "Condition": { 86 | "StringNotEqualsIfExists": { 87 | "aws:ResourceOrgID": "", 88 | "aws:PrincipalTag/dp:exclude:resource:ssm": "true", 89 | "aws:PrincipalTag/dp:exclude:resource": "true" 90 | } 91 | } 92 | }, 93 | { 94 | "Sid": "EnforceResourcePerimeterAWSResourcesEC2ImageBuilder", 95 | "Effect": "Deny", 96 | "Action": [ 97 | "imagebuilder:GetComponent", 98 | "imagebuilder:GetImage" 99 | ], 100 | "Resource": "*", 101 | "Condition": { 102 | "StringNotEqualsIfExists": { 103 | "aws:ResourceOrgID": "", 104 | "aws:PrincipalTag/dp:exclude:resource:imagebuilder": "true", 105 | "aws:PrincipalTag/dp:exclude:resource": "true" 106 | } 107 | } 108 | }, 109 | { 110 | "Sid": "EnforceResourcePerimeterAWSResourcesECR", 111 | "Effect": "Deny", 112 | "Action": [ 113 | "ecr:GetDownloadUrlForLayer", 114 | "ecr:BatchGetImage" 115 | ], 116 | "Resource": "*", 117 | "Condition": { 118 | "StringNotEqualsIfExists": { 119 | "aws:ResourceAccount": "", 120 | "aws:ResourceOrgID": "", 121 | "aws:PrincipalTag/dp:exclude:resource": "true" 122 | } 123 | } 124 | }, 125 | { 126 | "Sid": "EnforceResourcePerimeterAWSResourcesLambdaLayer", 127 | "Effect": "Deny", 128 | "Action": [ 129 | "lambda:GetLayerVersion" 130 | ], 131 | "Resource": "*", 132 | "Condition": { 133 | "StringNotEqualsIfExists": { 134 | "aws:ResourceAccount": "", 135 | "aws:ResourceOrgID": "", 136 | "aws:PrincipalTag/dp:exclude:resource": "true" 137 | } 138 | } 139 | }, 140 | { 141 | "Sid": "EnforceResourcePerimeterAWSResourcesEC2PrefixList", 142 | "Effect": "Deny", 143 | "Action": [ 144 | "ec2:CreateTags", 145 | "ec2:DeleteTags", 146 | "ec2:GetManagedPrefixListEntries" 147 | ], 148 | "Resource": "*", 149 | "Condition": { 150 | "StringNotEqualsIfExists": { 151 | "aws:ResourceOrgID": "", 152 | "aws:PrincipalTag/dp:exclude:resource:ec2": "true", 153 | "aws:PrincipalTag/dp:exclude:resource": "true" 154 | } 155 | } 156 | }, 157 | { 158 | "Sid":"EnforceResourcePerimeterThirdPartyResources", 159 | "Effect":"Deny", 160 | "Action":"", 161 | "Resource":"*", 162 | "Condition":{ 163 | "StringNotEqualsIfExists":{ 164 | "aws:ResourceOrgID":"", 165 | "aws:PrincipalTag/dp:exclude:resource": "true", 166 | "aws:ResourceAccount": [ 167 | "", 168 | "" 169 | ] 170 | } 171 | } 172 | } 173 | ] 174 | } -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/README.md: -------------------------------------------------------------------------------- 1 | # Examples of service-specific controls 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Description 6 | 7 | This folder contains examples of SCPs with service-specific controls you might want to enforce when implementing a data perimeter for a service. These examples do not represent a complete list of valid data access patterns, and they are intended for you to tailor and extend them to suit the needs of your environment. 8 | 9 | Use the following example SCPs individually or in combination: 10 | 11 | * [network_perimeter_ec2_scp](/service_control_policies/service_specific_controls/network_perimeter_ec2_scp.json) – Enforces network perimeter controls on service roles used by Amazon EC2 instances. 12 | * [network_perimeter_iam_users_scp](/service_control_policies/service_specific_controls/network_perimeter_iam_users_scp.json) - Enforces network perimeter controls on IAM users with long-term access keys. 13 | * [network_perimeter_lambda_scp](/service_control_policies/service_specific_controls/network_perimeter_lambda_scp.json) - Enforces network perimeter controls on service roles used by AWS Lambda. 14 | * [restrict_nonvpc_deployment_scp](/service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json) - Enforces deployment of resources in a customer managed Amazon VPC. 15 | * [restrict_idp_configurations_scp](/service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json) - Restricts ability to make configuration changes to the IAM SAML identity providers. 16 | 17 | Note that the SCP examples in this repository use a [deny list strategy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html), which means that you also need a FullAWSAccess policy or other policy attached to your AWS Organizations organization entities to allow actions. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies. 18 | 19 | #### Network perimeter controls 20 | 21 | Network perimeter policy examples in this folder enforce the controls on specific service roles and IAM users. 22 | * Some AWS services use [service roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) to perform tasks on your behalf. Some service roles are designed to be used by a service to directly call other services on your behalf as well as to make API calls from your code (for example, an [AWS Lambda](https://aws.amazon.com/lambda/) function role is used to publish logs to [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) and to make calls to AWS APIs from the Lambda function code). Because these services allow code execution, it is possible for a user to obtain the credentials associated with a service role. Therefore, you may want to enforce the use of such credentials from expected networks only. 23 | * You may also want to restrict the use of [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) to expected networks only. We recommend using [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) instead of IAM users with long-term access keys, as these access keys remain valid until manually revoked and therefore present a higher security risk. If your organization continues to use IAM users, implementing network perimeter controls can help mitigate potential security risks. 24 | 25 | The following are the services and actions that require an exception to the network perimeter: 26 | * Some AWS services have resources that are accessible from within your VPC through network interfaces or run inside your VPC, and use IAM for authentication. To account for this access pattern, you should list relevant actions in the `NotAction` element in the example policies and use network security controls such as [security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html), [access control lists](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html), and firewalls such as [AWS Network Firewall](https://aws.amazon.com/network-firewall/) to control the networks and IP addresses that can access these resources. 27 | * `dax:GetItem`, `dax:BatchGetItem`, `dax:Query`, `dax:Scan`, `dax:PutItem`, `dax:UpdateItem`, `dax:DeleteItem`, `dax:BatchWriteItem`, and `dax:ConditionCheckItem` – Required for [Amazon DynamoDB Accelerator (DAX)](https://aws.amazon.com/dynamodb/dax/) operations. At runtime, the DAX client directs all of your application's DynamoDB API requests to the DAX cluster, which runs in your VPC. Even though these requests originate from your VPC, they do not traverse a VPC endpoint. 28 | * `neptune-db:*` – Required for [Amazon Neptune](https://aws.amazon.com/neptune/). Amazon Neptune databases are deployed in your VPC and are accessed over a network interface in the VPC. The `neptune-db` IAM namespace is only used to access the Neptune database in your VPCs with [IAM authentication](https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth-connecting.html) and is not used with AWS APIs. 29 | * `elasticfilesystem:ClientMount`,`elasticfilesystem:RootAccess`,`elasticfilesystem:ClientWrite` – Required to use [Amazon Elastic File System (EFS)](https://aws.amazon.com/efs/) with [IAM authorization](https://docs.aws.amazon.com/efs/latest/ug/mounting-IAM-option.html). These IAM actions are only used to access Amazon EFS file systems from within your VPC via a network interface. To save space in the policy example, these three IAM actions are written with a wildcard character as `elasticfilesystem:Client*`. 30 | * `rds-db:Connect` – Required to use [Amazon Relational Database Service (RDS)](https://aws.amazon.com/rds/) with [IAM authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html). Amazon RDS databases are deployed in your VPC and are accessed over a network interface in the VPC. The `rds-db` IAM namespace is only used for authentication to RDS databases. 31 | * `kafka-cluster:*` – Required to use [Amazon Managed Streaming for Apache Kafka (MSK)](https://aws.amazon.com/msk/) with [IAM access control](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html). The `kafka-cluster` IAM namespace is only used to access Amazon MSK clusters in your VPCs with IAM authentication. 32 | * `es:ESHttpGet`, `es:ESHttpPut`,`es:ESHttpDelete`,`es:ESHttpPost`,`es:ESHttpPatch`,`es:ESHttpHead` – Required to use [Amazon OpenSearch Service](https://aws.amazon.com/opensearch-service/) with [IAM authentication for OpenSearch Domains](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource). These IAM actions are only used to access OpenSearch domains. When an OpenSearch domain is deployed with "VPC Access" selected, requests to that OpenSearch domain traverse a network interface in your VPC and does not traverse a VPC endpoint. If you are using IAM authentication with an OpenSearch domain that is configured to be accessible in "public" mode over the Internet, you can use the `aws:SourceIp` condition key to help control from which networks the OpenSearch domain can be accessed. To save space in the policy example, these IAM actions are written with a wildcard character as `es:ES*`. 33 | 34 | ## Included data access patterns 35 | 36 | The following policy statements are included in the SCP examples, each statement representing specific data access patterns. 37 | 38 | ### "Sid":"EnforceNetworkPerimeterOnEC2Roles" 39 | 40 | This policy statement is included in the [network_perimeter_ec2_scp](network_perimeter_ec2_scp.json) and limits access to expected networks for service roles used by Amazon EC2 instance profiles. Expected networks are defined as follows: 41 | * Your on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (``) in the policy statement. 42 | * Your organization’s VPCs that are specified by VPC IDs (``) in the policy statement. 43 | * Networks of AWS services that use [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to access resources on your behalf as denoted by `aws:ViaAWSService` in the policy statement. This access pattern applies when you access data via an AWS service, and that service takes subsequent actions on your behalf by using your IAM credentials. 44 | * Networks of AWS services when AWS services interact with [KMS](https://aws.amazon.com/kms/) encrypted AMIs, volumes, or snapshots as denoted by the `aws:PrincipalArn` condition key with a value of `arn:aws:iam:::role/aws:ec2-infrastructure`. 45 | 46 | The `ec2:SourceInstanceARN` condition key is used to target role sessions that are created for applications running on your Amazon EC2 instances. 47 | 48 | ### "Sid":"EnforceNetworkPerimeterOnIAMUsers " 49 | 50 | This policy statement is included in the [network_perimeter_iam_users_scp](/service_control_policies/service_specific_controls/network_perimeter_iam_users_scp.json) and limits access to expected networks for IAM users. Expected networks are defined as follows: 51 | * Your on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (``) in the policy statement. 52 | * Your organization’s VPCs that are specified by VPC IDs (``) in the policy statement. 53 | * Networks of AWS services that use [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to access resources on your behalf as denoted by `aws:ViaAWSService` in the policy statement. This access pattern applies when you access data via an AWS service, and that service takes subsequent actions on your behalf by using your IAM credentials. 54 | 55 | 56 | ### "Sid":"EnforceNetworkPerimeterOnLambdaRoles" 57 | 58 | This policy statement is included in the [network_perimeter_lambda_scp](/service_control_policies/service_specific_controls/network_perimeter_lambda_scp.json) and limits access to expected networks for service roles used by AWS Lambda. Expected networks are defined as follows: 59 | * Your on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (``) in the policy statement. 60 | * Your organization’s VPCs that are specified by VPC IDs (``) in the policy statement. 61 | * Networks of AWS services that use [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to access resources on your behalf as denoted by `aws:ViaAWSService` in the policy statement. This access pattern applies when you access data via an AWS service, and that service takes subsequent actions on your behalf by using your IAM credentials. 62 | * AWS Lambda networks when the service interacts with [CloudWatch Logs]( https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html), [AWS X-Ray](https://aws.amazon.com/xray/), and [Amazon EFS]( https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html), as denoted by the `NotAction` element with the actions `xray:PutTraceSegments`,`logs:CreateLogGroup`,`logs:CreateLogStream`,`logs:PutLogEvents`, `elasticfilesystem:ClientMount`. 63 | 64 | The [` lambda:SourceFunctionArn `](https://docs.aws.amazon.com/lambda/latest/dg/permissions-source-function-arn.html) condition key is used to target role sessions that are created for your function's execution environment. 65 | 66 | ### "Sid":"PreventIdPTrustModifications" 67 | 68 | This statement is included in the [restrict_idp_configurations_scp](restrict_idp_configurations_scp.json) and prevents users from making configuration changes to the IAM SAML [identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html), IAM OIDC [identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html), and [AWS IAM Roles Anywhere](https://aws.amazon.com/iam/roles-anywhere/) [trust anchors](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/getting-started.html). It also prevents creation of an [account instance of IAM Identity Center]( https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html). 69 | 70 | ### "Sid":"PreventDeploymentCodeStarConnections" 71 | 72 | This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and limits the use of [AWS CodeStar Connections](https://docs.aws.amazon.com/codestar-connections/latest/APIReference/Welcome.html). 73 | 74 | AWS services such as AWS CodeStar Connections do not support deployment within a VPC and provide direct access to the internet that is not controlled by your VPC. You can block the use of such services by using SCPs or implementing your own proxy solution to inspect egress traffic. 75 | 76 | ### "Sid":"PreventNonVPCDeploymentSageMaker", "Sid":"PreventNonVPCDeploymentGlueJob", "Sid":"PreventNonVPCDeploymentCloudShell", and "Sid":"PreventNonVPCDeploymentLambda", "Sid":"PreventNonVPCDeploymentAppRunner" 77 | 78 | These statements are included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and explicitly deny relevant [Amazon SageMaker](https://aws.amazon.com/sagemaker/), [AWS Glue](https://aws.amazon.com/glue/), [AWS CloudShell](https://aws.amazon.com/cloudshell/), [AWS Lambda](https://aws.amazon.com/lambda/), and [AWS AppRunner](https://aws.amazon.com/apprunner/) operations unless they have VPC configurations specified in the requests. Use these statements to enforce deployment in a VPC for these services. 79 | 80 | Services such as Lambda, AWS Glue, CloudShell, App Runner, and SageMaker support different deployment models. For example, [Amazon SageMaker Studio](https://aws.amazon.com/pm/sagemaker/) and [SageMaker notebook instances](https://docs.aws.amazon.com/sagemaker/latest/dg/nbi.html) allow direct internet access by default. However, they provide you with the capability to configure them to run within your VPC so that you can inspect requests by using VPC endpoint policies (against identity and resource perimeter controls) and enforce the network perimeter. 81 | 82 | 83 | ### "Sid": "PreventNonVpcOnlySageMakerDomain" 84 | 85 | This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and prevents users from creating [Amazon SageMaker domains](https://docs.aws.amazon.com/sagemaker/latest/dg/sm-domain.html) that can access the internet through a VPC managed by SageMaker, or updating SageMaker domains to allow access to the internet through a VPC managed by SageMaker. 86 | For more details, see the definition of the parameter [`AppNetworkAccessType`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html#sagemaker-UpdateDomain-request-AppNetworkAccessType) in the Amazon SageMaker API Reference. 87 | 88 | 89 | ### "Sid": "PreventDirectInternetAccessSageMakerNotebook" 90 | 91 | This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and prevents users from creating [Amazon SageMaker Notebooks Instances](https://docs.aws.amazon.com/sagemaker/latest/dg/nbi.html) that can access the internet through a VPC managed by SageMaker. 92 | For more details, see [Connect a Notebook Instance in a VPC to External Resources](https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html) in the Amazon SageMaker documentation. 93 | 94 | -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/network_perimeter_ec2_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceNetworkPerimeterOnEC2Roles", 6 | "Effect": "Deny", 7 | "NotAction": [ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "neptune-db:*", 19 | "kafka-cluster:*", 20 | "elasticfilesystem:client*", 21 | "rds-db:connect" 22 | ], 23 | "Resource": "*", 24 | "Condition": { 25 | "BoolIfExists": { 26 | "aws:ViaAWSService": "false" 27 | }, 28 | "NotIpAddressIfExists": { 29 | "aws:SourceIp": [ 30 | "" 31 | ] 32 | }, 33 | "StringNotEqualsIfExists": { 34 | "aws:PrincipalTag/dp:exclude:network": "true", 35 | "aws:SourceVpc": [ 36 | "" 37 | ] 38 | }, 39 | "ArnNotLikeIfExists": { 40 | "aws:PrincipalArn": [ 41 | "arn:aws:iam::*:role/aws:ec2-infrastructure" 42 | ] 43 | }, 44 | "Null": { 45 | "ec2:SourceInstanceARN": "false" 46 | } 47 | } 48 | } 49 | ] 50 | } -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/network_perimeter_iam_users_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceNetworkPerimeterOnIAMUsers", 6 | "Effect": "Deny", 7 | "NotAction": [ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "neptune-db:*", 19 | "kafka-cluster:*", 20 | "elasticfilesystem:client*", 21 | "rds-db:connect" 22 | ], 23 | "Resource": "*", 24 | "Condition": { 25 | "BoolIfExists": { 26 | "aws:ViaAWSService": "false" 27 | }, 28 | "NotIpAddressIfExists": { 29 | "aws:SourceIp": [ 30 | "" 31 | ] 32 | }, 33 | "StringNotEqualsIfExists": { 34 | "aws:SourceVpc": [ 35 | "" 36 | ] 37 | }, 38 | "ArnLike": { 39 | "aws:PrincipalArn": [ 40 | "arn:aws:iam::*:user/*" 41 | ] 42 | } 43 | } 44 | } 45 | ] 46 | } -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/network_perimeter_lambda_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceNetworkPerimeterOnLambdaRoles", 6 | "Effect": "Deny", 7 | "NotAction": [ 8 | "es:ES*", 9 | "dax:GetItem", 10 | "dax:BatchGetItem", 11 | "dax:Query", 12 | "dax:Scan", 13 | "dax:PutItem", 14 | "dax:UpdateItem", 15 | "dax:DeleteItem", 16 | "dax:BatchWriteItem", 17 | "dax:ConditionCheckItem", 18 | "logs:CreateLogGroup", 19 | "logs:CreateLogStream", 20 | "logs:PutLogEvents", 21 | "elasticfilesystem:ClientMount", 22 | "xray:PutTraceSegments" 23 | ], 24 | "Resource": "*", 25 | "Condition": { 26 | "BoolIfExists": { 27 | "aws:ViaAWSService": "false" 28 | }, 29 | "NotIpAddressIfExists": { 30 | "aws:SourceIp": [ 31 | "" 32 | ] 33 | }, 34 | "StringNotEqualsIfExists": { 35 | "aws:PrincipalTag/dp:exclude:network": "true", 36 | "aws:SourceVpc": [ 37 | "" 38 | ] 39 | }, 40 | "Null": { 41 | "lambda:SourceFunctionArn": "false" 42 | } 43 | } 44 | } 45 | ] 46 | } -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventIdPTrustModifications", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "iam:CreateOpenIDConnectProvider", 9 | "iam:DeleteOpenIDConnectProvider", 10 | "iam:AddClientIDToOpenIDConnectProvider", 11 | "iam:RemoveClientIDFromOpenIDConnectProvider", 12 | "iam:TagOpenIDConnectProvider", 13 | "iam:UntagOpenIDConnectProvider", 14 | "iam:UpdateOpenIDConnectProviderThumbprint", 15 | "iam:CreateSAMLProvider", 16 | "iam:DeleteSAMLProvider", 17 | "iam:TagSAMLProvider", 18 | "iam:UntagSAMLProvider", 19 | "iam:UpdateSAMLProvider", 20 | "rolesanywhere:CreateTrustAnchor", 21 | "rolesanywhere:DeleteTrustAnchor", 22 | "rolesanywhere:EnableTrustAnchor", 23 | "rolesanywhere:DisableTrustAnchor", 24 | "rolesanywhere:UpdateTrustAnchor", 25 | "rolesanywhere:EnableCrl", 26 | "rolesanywhere:DeleteCrl", 27 | "rolesanywhere:DisableCrl", 28 | "rolesanywhere:ImportCrl", 29 | "rolesanywhere:UpdateCrl", 30 | "rolesanywhere:TagResource", 31 | "rolesanywhere:UntagResource", 32 | "sso:CreateInstance" 33 | ], 34 | "Resource": "*", 35 | "Condition": { 36 | "StringNotEqualsIfExists": { 37 | "aws:PrincipalTag/dp:exclude:identity": "true" 38 | } 39 | } 40 | } 41 | ] 42 | } 43 | -------------------------------------------------------------------------------- /service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventDeploymentCodeStarConnections", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "codestar-connections:*" 9 | ], 10 | "Resource": "*", 11 | "Condition": { 12 | "StringNotEqualsIfExists": { 13 | "aws:PrincipalTag/dp:exclude": "true" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid":"PreventNonVPCDeploymentSageMaker", 19 | "Effect":"Deny", 20 | "Action":[ 21 | "sagemaker:CreateAutoMLJob", 22 | "sagemaker:CreateAutoMLJobV2", 23 | "sagemaker:CreateCluster", 24 | "sagemaker:CreateDataQualityJobDefinition", 25 | "sagemaker:CreateDomain", 26 | "sagemaker:CreateHyperParameterTuningJob", 27 | "sagemaker:CreateModel", 28 | "sagemaker:CreateModelBiasJobDefinition", 29 | "sagemaker:CreateModelExplainabilityJobDefinition", 30 | "sagemaker:CreateModelQualityJobDefinition", 31 | "sagemaker:CreateMonitoringSchedule", 32 | "sagemaker:CreateNotebookInstance", 33 | "sagemaker:CreateProcessingJob", 34 | "sagemaker:CreateTrainingJob", 35 | "sagemaker:UpdateDomain", 36 | "sagemaker:UpdateMonitoringSchedule" 37 | ], 38 | "Resource":"*", 39 | "Condition":{ 40 | "StringNotEqualsIfExists": { 41 | "aws:PrincipalTag/dp:exclude": "true" 42 | }, 43 | "Null":{ 44 | "sagemaker:VpcSubnets":"true" 45 | } 46 | } 47 | }, 48 | { 49 | "Sid": "PreventNonVpcOnlySageMakerDomain", 50 | "Effect": "Deny", 51 | "Action": [ 52 | "sagemaker:CreateDomain", 53 | "sagemaker:UpdateDomain" 54 | ], 55 | "Resource": "*", 56 | "Condition": { 57 | "StringNotEqualsIfExists": { 58 | "aws:PrincipalTag/dp:exclude": "true", 59 | "sagemaker:AppNetworkAccessType": "VpcOnly" 60 | } 61 | } 62 | }, 63 | { 64 | "Sid": "PreventDirectInternetAccessSageMakerNotebook", 65 | "Effect": "Deny", 66 | "Action": [ 67 | "sagemaker:CreateNotebookInstance" 68 | ], 69 | "Resource": "*", 70 | "Condition": { 71 | "StringEquals": { 72 | "sagemaker:DirectInternetAccess": "Enabled" 73 | }, 74 | "StringNotEqualsIfExists": { 75 | "aws:PrincipalTag/dp:exclude": "true" 76 | } 77 | } 78 | }, 79 | { 80 | "Sid":"PreventNonVPCDeploymentLambda", 81 | "Effect":"Deny", 82 | "Action":[ 83 | "lambda:CreateFunction", 84 | "lambda:UpdateFunctionConfiguration" 85 | ], 86 | "Resource":"*", 87 | "Condition":{ 88 | "StringNotEqualsIfExists": { 89 | "aws:PrincipalTag/dp:exclude": "true" 90 | }, 91 | "Null":{ 92 | "lambda:VpcIds":"true" 93 | } 94 | } 95 | }, 96 | { 97 | "Sid":"PreventNonVPCDeploymentGlueJob", 98 | "Effect": "Deny", 99 | "Action": [ 100 | "glue:CreateJob", 101 | "glue:UpdateJob" 102 | ], 103 | "Resource": "*", 104 | "Condition": { 105 | "StringNotEqualsIfExists": { 106 | "aws:PrincipalTag/dp:exclude": "true" 107 | }, 108 | "Null": { 109 | "glue:VpcIds": "true" 110 | } 111 | } 112 | }, 113 | { 114 | "Sid": "PreventNonVPCDeploymentCloudShell", 115 | "Action": [ 116 | "cloudshell:CreateEnvironment" 117 | ], 118 | "Effect": "Deny", 119 | "Resource": "*", 120 | "Condition": { 121 | "StringNotEqualsIfExists": { 122 | "aws:PrincipalTag/dp:exclude": "true" 123 | }, 124 | "Null": { 125 | "cloudshell:VpcIds": "true" 126 | } 127 | } 128 | }, 129 | { 130 | "Sid": "PreventNonVPCDeploymentAppRunner", 131 | "Effect": "Deny", 132 | "Action": [ 133 | "apprunner:CreateService", 134 | "apprunner:UpdateService" 135 | ], 136 | "Resource": "*", 137 | "Condition": { 138 | "StringNotEqualsIfExists": { 139 | "aws:PrincipalTag/dp:exclude": "true" 140 | }, 141 | "Null": { 142 | "apprunner:VpcConnectorArn": "true" 143 | } 144 | } 145 | } 146 | ] 147 | } 148 | -------------------------------------------------------------------------------- /service_owned_resources.md: -------------------------------------------------------------------------------- 1 | # Service-owned resources 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Description 6 | The following table contains service-owned resources that AWS services use to perform actions on your behalf: 7 | * The *Resource type* column contains the resource type of a service-owned resource. 8 | * The *Resource owner* column contains the name of a service that uses the service-owned resource to support its operations. 9 | * The *Resource ARN* column contains the ARN format of the service-owned resource. 10 | * The *Description* column contains information about the feature that require access to service-owned resources specified in the *Resource ARN* column. If your users and applications are using the described feature, policies listed in the *Policy example* column must allow access to the service-owned resources. 11 | * The *Policy example* column contains links to policy examples that allow access to service-owned resources specified in the *Resource ARN* column.
* VPC endpoint policies must allow access only when you access AWS services through AWS PrivateLink. 12 | 13 | ## List of resources 14 | 15 | | Resource type | Resource owner | Resource ARN | Description | Policy example| 16 | |------|------|-----------|-----------------------|------| 17 | | Amazon EC2 Image Builder component | Amazon EC2 Image Builder | `arn:aws:imagebuilder:*:aws:component/*`| Image Builder maintains [managed components owned by Amazon](https://docs.aws.amazon.com/imagebuilder/latest/userguide/use-managed-components.html) that you can use to customize or test your images. If you are using service-owned components in your image or container recipes, the [AWS Task Orchestrator and Executor (AWSTOE)](https://docs.aws.amazon.com/imagebuilder/latest/userguide/toe-component-manager.html) component management application running on Amazon EC2 instances uses an instance profile to access these components. See [How Image Builder works with IAM policies and roles](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#sec-iam-ib-id-based-policies-resources) and [Image Builder and AWS PrivateLink interface VPC endpoints](https://docs.aws.amazon.com/imagebuilder/latest/userguide/vpc-interface-endpoints.html) for more details.| [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[imagebuilder_endpoint_policy.json](vpc_endpoint_policies/imagebuilder_endpoint_policy.json) | 18 | | Amazon EC2 Image Builder image | Amazon EC2 Image Builder | `arn:aws:imagebuilder:*:aws:image/*` | Image Builder maintains [managed Image Builder images owned by Amazon](https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-images.html) that you can use as base images for your recipes. If you are using service-owned images, the AWSTOE uses an instance profile to retrieve these images to set up and boot an EC2 instance. See [How Image Builder works with IAM policies and roles](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#sec-iam-ib-id-based-policies-resources) and [Image Builder and AWS PrivateLink interface VPC endpoints](https://docs.aws.amazon.com/imagebuilder/latest/userguide/vpc-interface-endpoints.html) for more details.| [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[imagebuilder_endpoint_policy.json](vpc_endpoint_policies/imagebuilder_endpoint_policy.json) | 19 | | Amazon EC2 image | Amazon Elastic Compute Cloud (Amazon EC2) | `arn:aws:ec2:*::image/*` | Amazon EC2 maintains [Amazon Machine Image (AMIs) owned by Amazon](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharing-amis.html) that you can use to launch an Amazon EC2 instance or update the EBS-backed root volume of the instance. See [Launch instances (RunInstances)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-runinstances) for more details.| [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[ec2_endpoint_policy.json](vpc_endpoint_policies/ec2_endpoint_policy.json)* | 20 | | Amazon EC2 prefix list | Amazon EC2 | `arn:aws:ec2:*:aws:prefix-list/*`| Amazon EC2 maintains [AWS-managed EC2 prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) which are sets of IP ranges for AWS services you can use to simplify referencing service IPs when configuring security groups and other VPC network controls.| [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[ec2_endpoint_policy.json](vpc_endpoint_policies/ec2_endpoint_policy.json)* | 21 | | Amazon Elastic Container Registry (Amazon ECR) repository | Multiple | `arn:aws:ecr:*::repository/*` | Services such as Amazon Elastic Kubernetes Service (Amazon EKS), Amazon GuardDuty, and Amazon SageMaker maintain container images owned by Amazon in Amazon ECR repositories. For example, [Amazon Elastic Kubernetes Service (Amazon EKS) add-ons](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html), [GuardDuty EKS Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html), and [Amazon SageMaker pre-built Docker images](https://docs.aws.amazon.com/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.html). These repositories are accessed by using the service roles, such as roles of your EKS nodes, EKS managed node groups, and SageMaker notebooks. See [View Amazon container image registries for Amazon EKS add-ons](https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html), [Amazon ECR repository hosting GuardDuty agent](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-ecr-repository-gdu-agent.html), and [Docker Registry Paths and Example Code](https://docs.aws.amazon.com/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.html) for more details. `` can vary by AWS Region, and you might need to allow multiple account IDs if you are operating in multiple Regions. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[ecr.api_endpoint_policy.json](vpc_endpoint_policies/ecr.api_endpoint_policy.json) | 22 | | Amazon S3 bucket | AWS Service Catalog | `arn:aws:s3:::sc--/*` | AWS Service Catalog stores the CloudFormation template in an Amazon S3 bucket owned by the service account, when you create your products. When you provision the product, Service Catalog downloads the template from the bucket using [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html). See [Creating Products](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/productmgmt-cloudresource.html) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)* | 23 | | Amazon S3 bucket | AWS Data Exchange | `arn:aws:s3:::aws-data-exchange` | AWS Data Exchange writes to AWS Data Exchange Amazon S3 buckets, when importing assets from Amazon S3 to AWS Data Exchange ([publishing](https://docs.aws.amazon.com/data-exchange/latest/userguide/providing-data-sets.html)). Similarly, when exporting assets from AWS Data Exchange to Amazon S3 ([subscribing](https://docs.aws.amazon.com/data-exchange/latest/userguide/subscribe-to-data-sets.html)), AWS Data Exchange reads from AWS Data Exchange Amazon S3 buckets. AWS Data Exchange uses FAS to access the buckets on behalf of the user performing import and export operations. See [Access control](https://docs.aws.amazon.com/data-exchange/latest/userguide/access-control.html) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)* | 24 | | Amazon S3 bucket | AWS Glue | `arn:aws:s3:::aws-glue-studio-transforms--prod-/*` | AWS Glue Studio uses Amazon S3 buckets owned by the service account to store source code for transformations accessible via the AWS Glue Studio visual editor. AWS Glue uses its service role to make requests to the buckets. See [Review IAM permissions needed for ETL jobs](https://docs.aws.amazon.com/glue/latest/dg/getting-started-min-privs-job.html) for more details. `` can vary by AWS Region, and you might need to allow multiple account IDs if you are operating in multiple Regions. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 25 | | Amazon S3 bucket | AWS Elastic Beanstalk | `arn:aws:s3:::elasticbeanstalk-samples-/*`

`arn:aws:s3:::elasticbeanstalk-platform-assets-/*`

`arn:aws:s3:::elasticbeanstalk-env-resources-/*`

`arn:aws:s3:::elasticbeanstalk-/*`| AWS Elastic Beanstalk uses service-owned Amazon S3 buckets to host the configuration files, the sample application, and available instance types used while creating and configuring your environment. Elastic Beanstalk uses its service role to make requests to the buckets. See [Required Amazon S3 bucket permissions for restrictive VPC endpoint policies](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-vpce.policy.html#AWSHowTo.S3.VPCendpoints) for more details. Note that the bucket name follows a different convention for the BJS region. The string `public-beta-cn-north-1` is used in place of ``. For example, `arn:aws:s3:::elasticbeanstalk-platform-assets-public-beta-cn-north-1`. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 26 | | Amazon S3 bucket | Amazon CloudWatch | `arn:aws:s3:::aws-synthetics-library-` | Amazon CloudWatch uses service-owned Amazon S3 buckets to host a library that contains the versions of CloudWatch Synthetics for canaries. CloudWatch uses its service role to make requests to the buckets. See [Required roles and permissions for CloudWatch canaries](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Roles.html). | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json) | 27 | | Amazon S3 bucket | Amazon SageMaker JumpStart | `arn:aws:s3:::jumpstart-cache-prod-/*`

`arn:aws:s3:::jumpstart-cache-prod-` | Amazon SageMaker JumpStart uses service-owned Amazon S3 bucket to host pretrained, open-source models for a wide range of problem types to help you get started with machine learning. SageMaker Jumpstart uses its service role to make requests to the bucket. See [Model deployment security](https://docs.aws.amazon.com/sagemaker/latest/dg/jumpstart-deploy.html#jumpstart-config-security) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)| 28 | | Amazon S3 bucket | Amazon Neptune | `arn:aws:s3:::aws-neptune-notebook`

`arn:aws:s3:::aws-neptune-notebook/*`

`arn:aws:s3:::aws-neptune-notebook-`

`arn:aws:s3:::aws-neptune-notebook-/*` | Amazon Neptune service uses service-owned Amazon S3 buckets to host installation and configuration scripts as convenience utilities to help streamline Neptune setup process. Amazon Neptune uses service role to make requests to these service-owned S3 buckets. See [Using Amazon Neptune with graph notebooks](https://docs.aws.amazon.com/neptune/latest/userguide/graph-notebooks.html#graph-notebooks-workbench) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)| 29 | | Amazon S3 bucket | AWS CloudFormation | `arn:aws:s3:::cloudformation-custom-resource-response-/*`

`arn:aws:s3:::cloudformation-waitcondition-/*`| AWS CloudFormation maintains Amazon Simple Storage Service (Amazon S3) service-owned buckets in each AWS Region to monitor responses to a [custom resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html) request or a [wait condition](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-waitcondition.html). CloudFormation uses the `cloudformation.amazonaws.com` service principal to create a presigned Amazon S3 URL, which is used to send requests to Amazon S3. If your CloudFormation template includes custom resources deployed in a VPC or wait conditions for resources deployed in your VPC, requests to Amazon S3 originate from your VPC. See [Access CloudFormation using an interface endpoint (AWS PrivateLink)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) for more details. Note that `` does not contain dashes, for example, uswest2 instead of us-west-2. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 30 | | Amazon S3 bucket | Amazon Q Developer | `arn:aws:s3:::amazonq-code-scan--`

`arn:aws:s3:::amazonq-code-transformation--`

`arn:aws:s3:::amazonq-feature-development--`

`arn:aws:s3:::amazonq-test-generation--.amazonaws.com/*`

`arn:aws:s3:::repo..amazonaws.com/*`

`arn:aws:s3:::amazonlinux..amazonaws.com/*`

`arn:aws:s3:::amazonlinux-2-repos-/*`| Kernel Live Patching on Amazon Linux 2 allows you to apply security vulnerability and critical bug patches to a running Linux kernel. To download packages from Amazon Linux repositories hosted on service-owned Amazon S3 buckets, Amazon EC2 makes an unauthenticated call to Amazon S3 which originates from your VPC. See [Kernel Live Patching on AL2](https://docs.aws.amazon.com/linux/al2/ug/al2-live-patching.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 32 | | Amazon S3 bucket | Amazon EC2 | `arn:aws:s3:::al2023-/*`

`arn:aws:s3:::al2023-repos--de612dc2/*`| Kernel Live Patching on Amazon Linux 2023 allows you to apply security vulnerability and critical bug patches to a running Linux kernel. To download packages from Amazon Linux repositories hosted on service-owned Amazon S3 buckets, Amazon EC2 makes an unauthenticated call to Amazon S3 which originates from your VPC. See [Kernel Live Patching on Amazon Linux 2023](https://docs.aws.amazon.com/linux/al2023/ug/live-patching.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 33 | | Amazon S3 bucket | Amazon EMR | `arn:aws:s3:::packages..amazonaws.com/*`

`arn:aws:s3:::repo..amazonaws.com/*`

`arn:aws:s3:::amazonlinux..amazonaws.com/*`

`arn:aws:s3:::amazonlinux-2-repos-/*`

`arn:aws:s3:::repo..emr.amazonaws.com/*`

`arn:aws:s3:::prod..appinfo.src/*`| Amazon EMR uses Amazon Linux repositories that are hosted in service-owned S3 buckets to [launch and manage instances within Amazon EMR clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-default-ami.html). Amazon EMR also collects [Spark event logs](https://docs.aws.amazon.com/emr/latest/ManagementGuide/app-history-spark-UI.html) in an service-owned system bucket. To do so, Amazon EMR makes unauthenticated calls to Amazon S3 which originate from your VPC. See [Sample policies for private subnets that access Amazon S3](https://docs.aws.amazon.com/emr/latest/ManagementGuide/private-subnet-iampolicy.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 34 | | Amazon S3 bucket | AWS Systems Manager | `arn:aws:s3:::aws-ssm-/*`

`arn:aws:s3:::aws-windows-downloads-/*`

`arn:aws:s3:::amazon-ssm-/*`

`arn:aws:s3:::amazon-ssm-packages-/*`

`arn:aws:s3:::-birdwatcher-prod/*`

`arn:aws:s3:::aws-ssm-distributor-file-/*`

`arn:aws:s3:::aws-ssm-document-attachments-/*`

`arn:aws:s3:::patch-baseline-snapshot-/*`

`arn:aws:s3:::aws-patchmanager-macos-/*`| When using AWS Systems Manager capabilities such as patching, [SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) running on your Amazon EC2 instances could make unauthenticated requests from your VPC to various service-owned S3 buckets to perform its operations. See [Learn technical details about the SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 35 | | Amazon S3 bucket | Amazon CloudWatch | `arn:aws:s3:::amazoncloudwatch-agent-/*`

`arn:aws:s3:::amazoncloudwatch-agent/*`| When you install the Amazon CloudWatch agent on your Amazon EC2 instances, Amazon EC2 makes an unauthenticated call from your network to Amazon S3 to download the package from a service-owned S3 bucket. See [Download the CloudWatch agent package](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/download-cloudwatch-agent-commandline.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 36 | | Amazon S3 bucket | AWS CodeDeploy | `arn:aws:s3:::aws-codedeploy-/*` | When you install the AWS CodeDeploy agent on your Amazon EC2 instances, Amazon EC2 makes an unauthenticated call from your network to Amazon S3 to download the agent from an service-owned S3 bucket. See [Configure an Amazon EC2 instance to work with CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/instances-ec2-configure.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 37 | | Amazon S3 bucket | EC2 Image Builder | `arn:aws:s3:::ec2imagebuilder-toe--prod/*`

`arn:aws:s3:::ec2imagebuilder-managed-resources--prod/components/*`| EC2 Image Builder uses a publicly available S3 bucket to store and access managed resources, such as components. It also downloads the AWSTOE component management application from a separate S3 bucket. The call to Amazon S3 is unauthenticated and passes through the Amazon S3 VPC endpoint. See [Manage data perimeters](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam-data-perimeter.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 38 | | Amazon S3 bucket | AWS Cloud9 | `arn:aws:s3:::static--prod-static-/content/dependencies/*` | AWS Cloud9 environments contain software packages required for AWS Cloud9 to function and support IDE features. To [download patches for these software packages](https://docs.aws.amazon.com/cloud9/latest/user-guide/vulnerability-analysis-and-management.html) from AWS Cloud9 repositories hosted on service-owned S3 buckets, AWS Cloud9 makes an unauthenticated call to Amazon S3 from your VPC. See [Create and configure a VPC endpoint for Amazon S3](https://docs.aws.amazon.com/cloud9/latest/user-guide/ec2-ssm.html#create-s3-endpoint) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 39 | | Amazon S3 bucket | Amazon Elastic Container Registry | `arn:aws:s3:::prod--starport-layer-bucket/*` | Amazon ECR uses service-owned S3 buckets to store Amazon ECR private image layers. When your containers download images from Amazon ECR, they must access Amazon ECR to get the image manifest and then Amazon S3 to download the actual image layers. A call to Amazon S3 is signed using a presigned URL, which is created by an Amazon ECR account and originates from your VPC. See [Minimum Amazon S3 Bucket Permissions for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html#ecr-minimum-s3-perms) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 40 | | Amazon S3 bucket | AWS Application Migration Service | `arn:aws:s3:::aws-mgn-clients-/*`

`arn:aws:s3:::aws-mgn-clients-hashes-/*`

`arn:aws:s3:::aws-mgn-internal-/*`

`arn:aws:s3:::aws-mgn-internal-hashes-/*`

`arn:aws:s3:::aws-application-migration-service-/*`

`arn:aws:s3:::aws-application-migration-service-hashes-/*`

`arn:aws:s3:::amazon-ssm-/*`|[AWS Replication Agent](https://docs.aws.amazon.com/mgn/latest/ug/agent-installation.html) allows you to add source servers to the AWS Application Migration service to monitor their migration lifecycle and data replication state. To download the agent installer and components hosted on service-owned S3 buckets, Application Migration Service uses presigned URLs create by an Application Migration Service account and makes calls to Amazon S3 from your VPC. See [Network requirements for Application Migration Service](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 41 | | Amazon S3 bucket | AWS Elastic Disaster Recovery | `arn:aws:s3:::aws-drs-clients-/*`

`arn:aws:s3:::aws-drs-clients-hashes-/*`

`arn:aws:s3:::aws-drs-internal-/*`

`arn:aws:s3:::aws-drs-internal-hashes-/*`

`arn:aws:s3:::aws-elastic-disaster-recovery-/*`

`arn:aws:s3:::aws-elastic-disaster-recovery-hashes-/*` | Elastic Disaster Recovery uses service-owned S3 buckets to store and access managed resources used to perform its operations. The [AWS Replication Agent installer](https://docs.aws.amazon.com/drs/latest/userguide/agent-installation.html) uses a presigned URL, which is signed by the service account, to make requests to various service-owned S3 buckets, which originate from your VPC. See [Elastic Disaster Recovery network requirements](https://docs.aws.amazon.com/drs/latest/userguide/Network-Requirements.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 42 | | Amazon S3 bucket | AWS Certificate Manager (ACM) | `arn:aws:s3:::aws-ec2-enclave-certificate--prod/*` | ACM for AWS Nitro Enclaves uses an service-owned S3 bucket to distribute a certificate to an EC2-hosted web server. See [AWS Certificate Manager for Nitro Enclaves](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html#role-cert) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 43 | | Amazon S3 bucket | AWS CodeArtifact | `arn:aws:s3:::assets--/*` | CodeArtifact uses service-owned S3 buckets to host the artifacts and redirects HTTP requests for an artifact repository URL to a presigned URL backed by one of service-owned buckets. See [Minimum Amazon S3 bucket permissions for AWS CodeArtifact](https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html#s3-gateway-endpoint-permissions) for more details| [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) | 44 | | AWS CloudFormation transform | AWS CloudFormation | `arn:aws:cloudformation:*:aws:transform/*` | You can use [AWS CloudFormation transforms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html) to process templates through a special macro that can modify or extend the functionality of a CloudFormation template before it is deployed. CloudFormation uses its service role or FAS to make requests to the transforms. See [Control CloudFormation access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[cloudformation_endpoint_policy.json](vpc_endpoint_policies/cloudformation_endpoint_policy.json)* | 45 | | AWS IAM policy | Multiple | `arn:aws:iam::aws:policy/*` | You can use [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) to assign appropriate permissions to users, IAM groups, and roles. See [What are AWS managed policies?](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[iam_endpoint_policy](vpc_endpoint_policies/iam_endpoint_policy.json)* | 46 | | AWS Lambda layer | Multiple | `arn:aws:lambda:*::layer:*` | Services such as Amazon CloudWatch and AWS AppConfig maintain AWS Lambda extensions owned by Amazon that you can add as layers to you functions. For example, [CloudWatch Lambda Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights.html) and [AWS AppConfig Agent Lambda extension](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions.html).See [Available versions of the Lambda Insights extension](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html) and [Understanding available versions of the AWS AppConfig Agent Lambda extension](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions-versions.html) for more details. Note that `` can vary by AWS Region, and you might need to allow multiple account IDs if you are operating in multiple Regions. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[lambda_endpoint_policy](vpc_endpoint_policies/lambda_endpoint_policy.json)* | 47 | | AWS Systems Manager parameter | Multiple | `arn:aws:ssm:*::parameter/*` | Some AWS services publish information about common artifacts as [AWS Systems Manager public parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-public-parameters.html). For example, Amazon EC2 publishes information about Amazon Machine Images (AMIs) as public parameters. See [How AWS Systems Manager works with IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-actions) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[ssm_endpoint_policy.json](vpc_endpoint_policies/ssm_endpoint_policy.json)* | 48 | | AWS Systems Manager document | Multiple | `arn:aws:ssm:*::document/*` | Systems Manager maintains pre-configured [documents owned by Amazon](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html) that you can use to automate maintenance and deployment tasks. See [How AWS Systems Manager works with IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-actions) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[ssm_endpoint_policy.json](vpc_endpoint_policies/ssm_endpoint_policy.json)* | 49 | | AWS Systems Manager automation definition | Multiple | `arn:aws:ssm:*::automation-definition/*`| Systems Manager maintains pre-defined [Automation runbooks owned by Amazon](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html), such as AWS-ConfigureMaintenanceWindows, that you can use to deploy, configure, and manage AWS resources at scale. See [How AWS Systems Manager works with IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-actions) for more details.| [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)

[ssm_endpoint_policy.json](vpc_endpoint_policies/ssm_endpoint_policy.json)* | -------------------------------------------------------------------------------- /vpc_endpoint_policies/README.md: -------------------------------------------------------------------------------- 1 | # VPC endpoint policy examples 2 | 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | ## Table of Contents 6 | 7 | * [Introduction](#introduction) 8 | * [Description](#description) 9 | * [Included data access patterns](#included-data-access-patterns) 10 | 11 | ## Introduction 12 | 13 | VPC endpoints allow you to apply identity and resource perimeter controls by using VPC endpoint policies. These controls mitigate the risk of unintended data disclosure via noncorporate credentials (for example, developers bringing their personal credentials into your network and uploading corporate data to their personal accounts), and prevent your principals from accessing data stores that are not approved by your company. 14 | 15 | ## Description 16 | 17 | This folder contains examples of VPC endpoint policies that enforce identity and resource perimeter controls while allowing select AWS services to operate on your behalf. These examples do not represent a complete list of valid data access patterns, and they are intended for you to tailor and extend them to suit the needs of your environment. Not all VPC endpoint policy examples contained in this folder include all data access patterns described in the following section. When crafting a VPC endpoint policy for a service that is not covered in this repository, you can start with the [default_endpoint_policy.json](default_endpoint_policy.json) and include relevant statements based on your requirements. 18 | 19 | For all AWS services where we have provided an example VPC endpoint policy such as SSM or EC2, we strongly recommend starting with those policies instead of the default VPC endpoint policy. There are already service-specific exceptions present within them to allow these services to access their required resources over a VPC endpoint. 20 | 21 | Note that VPC endpoint policies do not grant any permissions; instead, they establish a boundary that is the maximum access allowed through the endpoint. You still need to grant appropriate access by using identity-based or resource-based policies. 22 | 23 | The methodology you use to deploy these policies will depend on the deployment mechanisms you use to create and manage AWS accounts. For example, you might choose to use [AWS Control Tower](https://aws.amazon.com/controltower/) and the [Customizations for AWS Control Tower solution (CfCT)](https://docs.aws.amazon.com/controltower/latest/userguide/customize-landing-zone.html) to govern your AWS environment at scale. You can use CfCT or your custom CI/CD pipeline to deploy VPC endpoints and VPC endpoint policies that include your identity and resource perimeter controls. 24 | 25 | ## Included data access patterns 26 | 27 | The following policy statements are included in the VPC endpoint policy examples, each statement representing a specific data access pattern. 28 | 29 | ### "Sid":"AllowRequestsByOrgsIdentitiesToOrgsResources" 30 | 31 | This policy statement allows identities from your AWS Organizations organization to send requests through a VPC endpoint to resources that belong to your organization. 32 | 33 | ### "Sid":"AllowRequestsByAWSServicePrincipals" 34 | 35 | This policy statement allows [AWS service principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) to send requests to service-owned resources on your behalf through a VPC endpoint. The `aws:PrincipalIsAWSService` IAM condition key is used to denote this in the policy. Though AWS services rarely use their service principals to make calls from your VPCs, some services that operate within your network might need this statement to be present in the VPC endpoint policies to ensure normal operations. See the [service_owned_resources](../service_owned_resources.md) for a list of service-owned resources that can be accessed by AWS service principals. 36 | 37 | ### "Sid":"AllowRequestsToAWSOwnedResources" 38 | 39 | This policy statement allows access to specific service-owned resources through a VPC endpoint. You can list ARNs of service-owned resources in the `Resource` element of the statement. You can further restrict access by specifying allowed actions in the `Action` element of the statement. See the [service_owned_resources](../service_owned_resources.md) for a list of service-owned resources. 40 | 41 | ### "Sid":"AllowRequestsByOrgsIdentitiesToAWSResources" 42 | 43 | This policy statement allows identities from your Organizations organization to send requests through a VPC endpoint to service-owned resources. You can list ARNs of service-owned resources in the `Resource` element of the statement. You can further restrict access by specifying allowed actions in the `Action` element of the statement. See the [service_owned_resources](../service_owned_resources.md) for a list of service-owned resources that can be accessed by your IAM credentials. 44 | 45 | ### "Sid":"AllowRequestsByThirdPartyIdentitiesToThirdPartyResources" 46 | 47 | This policy statement allows trusted identities outside of your Organizations organization to send requests to trusted resources owned by an account that does not belong to your organization. List ARNs of resources in the `Resource` element of the statement. Further restrict access by specifying allowed actions in the `Action` element of the statement. An example valid use case is a third party integration that requires you to allow your applications to upload or download objects from a third party S3 bucket by using third party generated presigned Amazon S3 URLs. In this case, the principal that generates the presigned URL will belong to the third party AWS account. 48 | 49 | ### "Sid":"AllowRequestsByOrgsIdentitiesToThirdPartyResources" 50 | 51 | This policy statement allows identities from your Organizations organization to send requests to trusted resources owned by an account that does not belong to your organization. List ARNs of resources in the `Resource` element of the statement. Further restrict access by specifying allowed actions in the `Action` element of the statement. 52 | 53 | ### "Sid":"AllowRequestsByOrgsIdentitiesToAnyResources" 54 | 55 | This policy statement allows identities from your Organizations organization that are tagged with the `dp:exclude:resource` tag set to `true` to access any resource. Before adding this statement to your VPC endpoint policy, ensure that you have strong tagging governance in place and a valid data-access pattern that warrants its implementation that is not already covered by previously described statements. If you include this statement in your policy, ensure that you always have this access restricted to principals in your Organizations organization by using the `aws:PrincipalOrgID` condition key. This prevents access by identities outside your organization tagged with the same tag key and value. 56 | 57 | -------------------------------------------------------------------------------- /vpc_endpoint_policies/cloudformation_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": [ 34 | "cloudformation:CreateChangeSet" 35 | ], 36 | "Resource": [ 37 | "arn:aws:cloudformation::aws:transform/*" 38 | ], 39 | "Condition": { 40 | "StringEquals": { 41 | "aws:PrincipalOrgID": "" 42 | } 43 | } 44 | }, 45 | { 46 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 47 | "Effect": "Allow", 48 | "Principal": "*", 49 | "Action": "*", 50 | "Resource": "*", 51 | "Condition": { 52 | "StringEquals": { 53 | "aws:PrincipalOrgID": "", 54 | "aws:PrincipalTag/dp:exclude:resource": "true" 55 | } 56 | } 57 | } 58 | ] 59 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/default_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": "*", 35 | "Condition": { 36 | "StringEquals": { 37 | "aws:PrincipalOrgID": "", 38 | "aws:PrincipalTag/dp:exclude:resource": "true" 39 | } 40 | } 41 | } 42 | ] 43 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/ec2_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": [ 34 | "ec2:RunInstances", 35 | "ec2:CreateReplaceRootVolumeTask", 36 | "ec2:CreateTags", 37 | "ec2:DeleteTags", 38 | "ec2:GetManagedPrefixListEntries" 39 | ], 40 | "Resource": [ 41 | "arn:aws:ec2:*::image/*", 42 | "arn:aws:ec2:*:aws:prefix-list/*" 43 | ], 44 | "Condition": { 45 | "StringEquals": { 46 | "aws:PrincipalOrgID": "" 47 | } 48 | } 49 | }, 50 | { 51 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 52 | "Effect": "Allow", 53 | "Principal": "*", 54 | "Action": "*", 55 | "Resource": "*", 56 | "Condition": { 57 | "StringEquals": { 58 | "aws:PrincipalOrgID": "", 59 | "aws:PrincipalTag/dp:exclude:resource": "true" 60 | } 61 | } 62 | } 63 | ] 64 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/ecr.api_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": "*", 35 | "Condition": { 36 | "StringEquals": { 37 | "aws:ResourceAccount": "", 38 | "aws:PrincipalOrgID": "" 39 | } 40 | } 41 | }, 42 | { 43 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 44 | "Effect": "Allow", 45 | "Principal": "*", 46 | "Action": "*", 47 | "Resource": "*", 48 | "Condition": { 49 | "StringEquals": { 50 | "aws:PrincipalOrgID": "", 51 | "aws:PrincipalTag/dp:exclude:resource": "true" 52 | } 53 | } 54 | } 55 | ] 56 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/iam_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": [ 35 | "arn:aws:iam::aws:policy/*" 36 | ], 37 | "Condition": { 38 | "StringEquals": { 39 | "aws:PrincipalOrgID": "" 40 | } 41 | } 42 | }, 43 | { 44 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "*", 48 | "Resource": "*", 49 | "Condition": { 50 | "StringEquals": { 51 | "aws:PrincipalOrgID": "", 52 | "aws:PrincipalTag/dp:exclude:resource": "true" 53 | } 54 | } 55 | } 56 | ] 57 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/imagebuilder_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": [ 34 | "imagebuilder:GetComponent", 35 | "imagebuilder:GetImage" 36 | ], 37 | "Resource": [ 38 | "arn:aws:imagebuilder::aws:component/*", 39 | "arn:aws:imagebuilder::aws:image/*" 40 | ], 41 | "Condition": { 42 | "StringEquals": { 43 | "aws:PrincipalOrgID": "" 44 | } 45 | } 46 | }, 47 | { 48 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 49 | "Effect": "Allow", 50 | "Principal": "*", 51 | "Action": "*", 52 | "Resource": "*", 53 | "Condition": { 54 | "StringEquals": { 55 | "aws:PrincipalOrgID": "", 56 | "aws:PrincipalTag/dp:exclude:resource": "true" 57 | } 58 | } 59 | } 60 | ] 61 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/lambda_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "*", 34 | "Resource": [ 35 | "arn:aws:lambda:*::layer:*" 36 | ], 37 | "Condition": { 38 | "StringEquals": { 39 | "aws:PrincipalOrgID": "" 40 | } 41 | } 42 | }, 43 | { 44 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "*", 48 | "Resource": "*", 49 | "Condition": { 50 | "StringEquals": { 51 | "aws:PrincipalOrgID": "", 52 | "aws:PrincipalTag/dp:exclude:resource": "true" 53 | } 54 | } 55 | } 56 | ] 57 | } -------------------------------------------------------------------------------- /vpc_endpoint_policies/s3_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Effect": "Allow", 32 | "Principal": "*", 33 | "Action": "s3:GetObject", 34 | "Resource": "*", 35 | "Condition": { 36 | "StringEquals": { 37 | "aws:ResourceAccount": "", 38 | "aws:PrincipalOrgID": "" 39 | } 40 | } 41 | }, 42 | { 43 | "Sid": "AllowRequestsToAWSOwnedResources", 44 | "Effect": "Allow", 45 | "Principal": "*", 46 | "Action": [ 47 | "s3:GetObject", 48 | "s3:ListBucket" 49 | ], 50 | "Resource": [ 51 | "arn:aws:s3:::packages..amazonaws.com/*", 52 | "arn:aws:s3:::repo..amazonaws.com/*", 53 | "arn:aws:s3:::amazonlinux..amazonaws.com/*", 54 | "arn:aws:s3:::amazonlinux-2-repos-/*", 55 | "arn:aws:s3:::al2023-repos--de612dc2/*", 56 | "arn:aws:s3:::al2023-/*", 57 | "arn:aws:s3:::repo..emr.amazonaws.com/*", 58 | "arn:aws:s3:::prod..appinfo.src/*", 59 | "arn:aws:s3:::aws-ssm-/*", 60 | "arn:aws:s3:::aws-windows-downloads-/*", 61 | "arn:aws:s3:::amazon-ssm-/*", 62 | "arn:aws:s3:::amazon-ssm-packages-/*", 63 | "arn:aws:s3:::-birdwatcher-prod/*", 64 | "arn:aws:s3:::aws-ssm-distributor-file-/*", 65 | "arn:aws:s3:::aws-ssm-document-attachments-/*", 66 | "arn:aws:s3:::patch-baseline-snapshot-/*", 67 | "arn:aws:s3:::aws-patchmanager-macos-/*", 68 | "arn:aws:s3:::amazoncloudwatch-agent-/*", 69 | "arn:aws:s3:::amazoncloudwatch-agent/*", 70 | "arn:aws:s3:::aws-codedeploy-/*", 71 | "arn:aws:s3:::ec2imagebuilder-toe--prod/*", 72 | "arn:aws:s3:::ec2imagebuilder-managed-resources--prod/components/*", 73 | "arn:aws:s3:::prod--starport-layer-bucket/*", 74 | "arn:aws:s3:::aws-mgn-clients-/*", 75 | "arn:aws:s3:::aws-mgn-clients-hashes-/*", 76 | "arn:aws:s3:::aws-mgn-internal-/*", 77 | "arn:aws:s3:::aws-mgn-internal-hashes-/*", 78 | "arn:aws:s3:::aws-application-migration-service-/*", 79 | "arn:aws:s3:::aws-application-migration-service-hashes-/*", 80 | "arn:aws:s3:::aws-drs-clients-/*", 81 | "arn:aws:s3:::aws-drs-clients-hashes-/*", 82 | "arn:aws:s3:::aws-drs-internal-/*", 83 | "arn:aws:s3:::aws-drs-internal-hashes-/*", 84 | "arn:aws:s3:::aws-elastic-disaster-recovery-/*", 85 | "arn:aws:s3:::aws-elastic-disaster-recovery-hashes-/*", 86 | "arn:aws:s3:::cloudformation-waitcondition-/*", 87 | "arn:aws:s3:::cloudformation-custom-resource-response-/*", 88 | "arn:aws:s3:::aws-ec2-enclave-certificate--prod/*", 89 | "arn:aws:s3:::assets--/*", 90 | "arn:aws:s3:::elasticbeanstalk-samples-/*", 91 | "arn:aws:s3:::elasticbeanstalk-platform-assets-/*", 92 | "arn:aws:s3:::elasticbeanstalk-env-resources-/*", 93 | "arn:aws:s3:::elasticbeanstalk-/*", 94 | "arn:aws:s3:::jumpstart-cache-prod-/*", 95 | "arn:aws:s3:::jumpstart-cache-prod-", 96 | "arn:aws:s3:::static--prod-static-/content/dependencies/*", 97 | "arn:aws:s3:::aws-neptune-notebook", 98 | "arn:aws:s3:::aws-neptune-notebook/*", 99 | "arn:aws:s3:::aws-neptune-notebook-", 100 | "arn:aws:s3:::aws-neptune-notebook-/*" 101 | ] 102 | }, 103 | { 104 | "Sid": "AllowRequestsByThirdPartyIdentitiesToThirdPartyResources", 105 | "Effect": "Allow", 106 | "Principal": "*", 107 | "Action": "", 108 | "Resource": "", 109 | "Condition": { 110 | "StringEquals": { 111 | "aws:PrincipalAccount": [ 112 | "", 113 | "" 114 | ], 115 | "aws:ResourceAccount": [ 116 | "", 117 | "" 118 | ] 119 | } 120 | } 121 | }, 122 | { 123 | "Sid": "AllowRequestsByOrgsIdentitiesToThirdPartyResources", 124 | "Effect": "Allow", 125 | "Principal": "*", 126 | "Action": "", 127 | "Resource": "", 128 | "Condition": { 129 | "StringEquals": { 130 | "aws:PrincipalOrgID": "", 131 | "aws:ResourceAccount": [ 132 | "", 133 | "" 134 | ] 135 | } 136 | } 137 | }, 138 | { 139 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 140 | "Effect": "Allow", 141 | "Principal": "*", 142 | "Action": "*", 143 | "Resource": "*", 144 | "Condition": { 145 | "StringEquals": { 146 | "aws:PrincipalOrgID": "", 147 | "aws:PrincipalTag/dp:exclude:resource": "true" 148 | } 149 | } 150 | } 151 | ] 152 | } 153 | -------------------------------------------------------------------------------- /vpc_endpoint_policies/ssm_endpoint_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "*", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringEquals": { 12 | "aws:PrincipalOrgID": "", 13 | "aws:ResourceOrgID": "" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "AllowRequestsByAWSServicePrincipals", 19 | "Effect": "Allow", 20 | "Principal": "*", 21 | "Action": "*", 22 | "Resource": "*", 23 | "Condition": { 24 | "Bool": { 25 | "aws:PrincipalIsAWSService": "true" 26 | } 27 | } 28 | }, 29 | { 30 | "Sid": "AllowRequestsByOrgsIdentitiesToAWSResources", 31 | "Principal": "*", 32 | "Action": [ 33 | "ssm:Describe*", 34 | "ssm:List*", 35 | "ssm:Get*", 36 | "ssm:SendCommand", 37 | "ssm:CreateAssociation", 38 | "ssm:StartSession", 39 | "ssm:StartChangeRequestExecution", 40 | "ssm:StartAutomationExecution" 41 | ], 42 | "Effect": "Allow", 43 | "Resource": [ 44 | "arn:aws:ssm:::parameter/aws/*", 45 | "arn:aws:ssm:::document/*", 46 | "arn:aws:ssm:*::automation-definition/*" 47 | ], 48 | "Condition": { 49 | "StringEquals": { 50 | "aws:PrincipalOrgID": "" 51 | } 52 | } 53 | }, 54 | { 55 | "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources", 56 | "Effect": "Allow", 57 | "Principal": "*", 58 | "Action": "*", 59 | "Resource": "*", 60 | "Condition": { 61 | "StringEquals": { 62 | "aws:PrincipalOrgID": "", 63 | "aws:PrincipalTag/dp:exclude:resource": "true" 64 | } 65 | } 66 | } 67 | ] 68 | } --------------------------------------------------------------------------------