├── CODE_OF_CONDUCT.md ├── Service-specific-controls ├── S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json ├── S3-Deny-SSE-C.json ├── S3-Enforce-TLS-version.json ├── S3-Deny-ACL-disablement-for-all-new-buckets-(bucket-owner-enforced).json ├── S3-Prevent-long-term-presigned-url.json ├── S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json ├── KMS-Deny-AWS-Key-Management-Service-asymmetric-key-with-RSA-key-material-used-for-encryption-with-key-length-of-2048-bits.json ├── KMS-Require-an-AWS-Key-Management-Service-key-policy-limiting-creation-of-AWS-KMS-grants-to-AWS-services.json ├── KMS-Require-that-an-AWS-KMS-key-is-configured-with-the-bypass-policy-lockout-safety-check-enabled.json ├── S3-Deny-users-from-deleting-Amazon-S3-Buckets-or-objects.json ├── KMS-Deny-the-accidental-or-intentional-deletion-of-a-KMS-key-and-only-allow-specific-roles-to-delete-KMS-keys.json └── README.md ├── LICENSE-SUMMARY ├── Limit-access-to-trusted-OIDC-identity-providers ├── GitHub-Actions.json ├── Deny-built-in-web-identity-providers.json ├── README.md └── Shared-Issuers.json ├── Restrict-resource-access-patterns ├── Restrict-access-to-only-HTTPS-connections-to-your-resources.json └── README.md ├── .github └── workflows │ └── main.yml ├── LICENSE ├── Establish-intra-organization-boundaries ├── Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json ├── Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json └── README.md ├── Data-perimeter-guardrails └── README.md ├── CONTRIBUTING.md └── README.md /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /Service-specific-controls/S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":"s3:PutBucketPublicAccessBlock", 8 | "Resource":"*" 9 | } 10 | ] 11 | } -------------------------------------------------------------------------------- /LICENSE-SUMMARY: -------------------------------------------------------------------------------- 1 | Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file. 4 | 5 | The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file. 6 | -------------------------------------------------------------------------------- /Service-specific-controls/S3-Deny-SSE-C.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "RestrictSSECObjectUploads", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": "s3:PutObject", 9 | "Resource": "*", 10 | "Condition": { 11 | "Null": { 12 | "s3:x-amz-server-side-encryption-customer-algorithm": "false" 13 | } 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /Service-specific-controls/S3-Enforce-TLS-version.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":"s3:*", 8 | "Resource":"*", 9 | "Condition":{ 10 | "NumericLessThan":{ 11 | "s3:TlsVersion":[ 12 | "1.2" 13 | ] 14 | } 15 | } 16 | } 17 | ] 18 | } -------------------------------------------------------------------------------- /Service-specific-controls/S3-Deny-ACL-disablement-for-all-new-buckets-(bucket-owner-enforced).json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":"s3:CreateBucket", 8 | "Resource":"*", 9 | "Condition":{ 10 | "StringNotEquals":{ 11 | "s3:x-amz-object-ownership":"BucketOwnerEnforced" 12 | } 13 | } 14 | } 15 | ] 16 | } -------------------------------------------------------------------------------- /Service-specific-controls/S3-Prevent-long-term-presigned-url.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Deny", 6 | "Principal": "*", 7 | "Action": "s3:*", 8 | "Resource": "*", 9 | "Condition": { 10 | "NumericGreaterThan": { 11 | "s3:signatureAge": [ 12 | "[MAX_SIGNATURE_AGE_IN_MILLISECONDS]" 13 | ] 14 | } 15 | } 16 | } 17 | ] 18 | } -------------------------------------------------------------------------------- /Service-specific-controls/S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":"s3:PutAccountPublicAccessBlock", 8 | "Resource":"*", 9 | "Condition":{ 10 | "ArnNotLike":{ 11 | "aws:PrincipalARN":"arn:aws:iam::${Account}:role/[PRIVILEGED_ROLE]" 12 | } 13 | } 14 | } 15 | ] 16 | } -------------------------------------------------------------------------------- /Service-specific-controls/KMS-Deny-AWS-Key-Management-Service-asymmetric-key-with-RSA-key-material-used-for-encryption-with-key-length-of-2048-bits.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":"kms:CreateKey", 8 | "Resource":"*", 9 | "Condition":{ 10 | "StringEquals":{ 11 | "kms:KeyUsage":"ENCRYPT_DECRYPT", 12 | "kms:KeySpec":"RSA_2048" 13 | } 14 | } 15 | } 16 | ] 17 | } -------------------------------------------------------------------------------- /Service-specific-controls/KMS-Require-an-AWS-Key-Management-Service-key-policy-limiting-creation-of-AWS-KMS-grants-to-AWS-services.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":"kms:CreateGrant", 8 | "Resource":"*", 9 | "Condition":{ 10 | "BoolIfExists":{ 11 | "kms:GrantIsForAWSResource":"false", 12 | "aws:PrincipalIsAWSService":"false" 13 | } 14 | } 15 | } 16 | ] 17 | } -------------------------------------------------------------------------------- /Service-specific-controls/KMS-Require-that-an-AWS-KMS-key-is-configured-with-the-bypass-policy-lockout-safety-check-enabled.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":[ 8 | "kms:CreateKey", 9 | "kms:PutKeyPolicy" 10 | ], 11 | "Resource":"*", 12 | "Condition":{ 13 | "Bool":{ 14 | "kms:BypassPolicyLockoutSafetyCheck":"true" 15 | } 16 | } 17 | } 18 | ] 19 | } -------------------------------------------------------------------------------- /Limit-access-to-trusted-OIDC-identity-providers/GitHub-Actions.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":"sts:AssumeRoleWithWebIdentity", 8 | "Resource":"*", 9 | "Condition":{ 10 | "StringNotLikeIfExists":{ 11 | "token.actions.githubusercontent.com:sub":"repo:/*" 12 | }, 13 | "Null":{ 14 | "token.actions.githubusercontent.com:sub":"false" 15 | } 16 | } 17 | } 18 | ] 19 | } -------------------------------------------------------------------------------- /Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Deny", 6 | "Principal": "*", 7 | "Action": [ 8 | "sts:*", 9 | "s3:*", 10 | "sqs:*", 11 | "secretsmanager:*", 12 | "kms:*" 13 | ], 14 | "Resource": "*", 15 | "Condition": { 16 | "BoolIfExists": { 17 | "aws:SecureTransport": "false" 18 | } 19 | } 20 | } 21 | ] 22 | } 23 | -------------------------------------------------------------------------------- /Service-specific-controls/S3-Deny-users-from-deleting-Amazon-S3-Buckets-or-objects.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":[ 8 | "s3:DeleteBucket", 9 | "s3:DeleteBucketPolicy", 10 | "s3:DeleteObject", 11 | "s3:DeleteObjectVersion", 12 | "s3:DeleteObjectTagging", 13 | "s3:DeleteObjectVersionTagging" 14 | ], 15 | "Resource":[ 16 | "arn:aws:s3:::[BUCKET_TO_PROTECT]", 17 | "arn:aws:s3:::[BUCKET_TO_PROTECT]/*" 18 | ] 19 | } 20 | ] 21 | } -------------------------------------------------------------------------------- /Service-specific-controls/KMS-Deny-the-accidental-or-intentional-deletion-of-a-KMS-key-and-only-allow-specific-roles-to-delete-KMS-keys.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":[ 8 | "kms:ScheduleKeyDeletion", 9 | "kms:DeleteAlias", 10 | "kms:DeleteCustomKeyStore", 11 | "kms:DeleteImportedKeyMaterial" 12 | ], 13 | "Resource":"*", 14 | "Condition":{ 15 | "ArnNotLike":{ 16 | "aws:PrincipalArn":"arn:aws:iam::${Account}:role/[PRIVILEGED_ROLE]" 17 | } 18 | } 19 | } 20 | ] 21 | } -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Issue or PR notifier 2 | on: 3 | issues: 4 | types: [opened] 5 | pull_request: 6 | types: [opened] 7 | jobs: 8 | run: 9 | name: Notify IS team of github activity 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Draft with these release notes details 13 | uses: slackapi/slack-github-action@v2.0.0 14 | with: 15 | webhook: ${{ secrets.SLACK_WEBHOOK_URL }} 16 | webhook-type: webhook-trigger 17 | payload: | 18 | { 19 | "text": "A new \"${{ github.event_name }}\" has been opened on https://github.com/${{ github.repository }} . Please acknowledge the customer ASAP and :cowboy-ack: this request." 20 | } 21 | -------------------------------------------------------------------------------- /Limit-access-to-trusted-OIDC-identity-providers/Deny-built-in-web-identity-providers.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Deny", 6 | "Principal": "*", 7 | "Action": "sts:AssumeRoleWithWebIdentity", 8 | "Resource": "*", 9 | "Condition": { 10 | "StringEquals": { 11 | "aws:federatedProvider": [ 12 | "accounts.google.com", 13 | "graph.facebook.com", 14 | "cognito-identity.amazonaws.com", 15 | "www.amazon.com" 16 | ] 17 | } 18 | } 19 | } 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /Restrict-resource-access-patterns/README.md: -------------------------------------------------------------------------------- 1 | ## Resource access method restrictions 2 | 3 | * Controls that enforce specific rules on the methods used to access your organization's resources, ensuring that only compliant access patterns are permitted. 4 | 5 | 6 | | Included Policy | Rationale | 7 | |-------------|-------------| 8 | |[Restrict access to only HTTPS connections to your resources](Restrict-access-to-only-HTTPS-connections-to-your-resources.json) | Require that access to your resources only occurs on encrypted connections over HTTPS (TLS). This can help you prevent potential attackers from manipulating network traffic. This can help you prevent potential attackers from manipulating network traffic and trusted partners from accessing your resources over an unencrypted connection.| 9 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this 4 | software and associated documentation files (the "Software"), to deal in the Software 5 | without restriction, including without limitation the rights to use, copy, modify, 6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 7 | permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version":"2012-10-17", 3 | "Statement":[ 4 | { 5 | "Effect":"Deny", 6 | "Principal":"*", 7 | "Action":[ 8 | "s3:*", 9 | "sqs:*", 10 | "kms:*", 11 | "secretsmanager:*" 12 | ], 13 | "Resource":"*", 14 | "Condition":{ 15 | "ForAllValues:StringLikeIfExists": { 16 | "aws:ResourceOrgPaths":"o-orgid/r-acroot/ou-development/*" 17 | }, 18 | "ForAllValues:StringNotLikeIfExists": { 19 | "aws:PrincipalOrgPaths":"o-orgid/r-acroot/ou-development/*" 20 | }, 21 | "BoolIfExists":{ 22 | "aws:PrincipalIsAWSService":"false" 23 | } 24 | } 25 | } 26 | ] 27 | } -------------------------------------------------------------------------------- /Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Deny", 6 | "Principal": "*", 7 | "Action": [ 8 | "s3:*", 9 | "sqs:*", 10 | "kms:*", 11 | "secretsmanager:*", 12 | "sts:AssumeRole", 13 | "sts:DecodeAuthorizationMessage", 14 | "sts:GetAccessKeyInfo", 15 | "sts:GetFederationToken", 16 | "sts:GetServiceBearerToken", 17 | "sts:GetSessionToken", 18 | "sts:SetContext" 19 | ], 20 | "Resource": "*", 21 | "Condition": { 22 | "BoolIfExists": { 23 | "aws:PrincipalIsAWSService": "false" 24 | }, 25 | "ArnNotLikeIfExists": { 26 | "aws:PrincipalARN":"arn:aws:iam::${Account}:role/[PRIVILEGED_ROLE]" 27 | } 28 | } 29 | } 30 | ] 31 | } -------------------------------------------------------------------------------- /Establish-intra-organization-boundaries/README.md: -------------------------------------------------------------------------------- 1 | ## Establish intra-organization boundaries 2 | 3 | * Controls that define boundaries and access controls between different organization units within your organization. 4 | 5 | 6 | | Included Policy | Rationale | 7 | |-------------|-------------| 8 | |[Deny resource access if the resource belongs to a specific organizational unit.](Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json) | Restrict actions for resources within the 'Suspended' Organizational Unit (OU) to only a privileged role by attaching this policy at the OU level. Note: If you would like to restrict AWS services such as security or logging services, you will need to remove the 'aws:PrincipalIsAWSService': 'false' condition.| 9 | |[Deny access to resources in an organizational unit, except for principals from the same or specified organizational unit.](Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json) | Restrict access to specified AWS services for all principals except those in a specific OU path, helping to grant broader access to new services in development.| 10 | -------------------------------------------------------------------------------- /Data-perimeter-guardrails/README.md: -------------------------------------------------------------------------------- 1 | ## Data perimeter guardrails 2 | 3 | * A **data perimeter** is a set of preventive controls in your AWS environment you use to help ensure that only your trusted identities are accessing trusted resources from expected networks. Data perimeter guardrails are meant to serve as always-on boundaries to help protect your data across a broad set of AWS accounts and resources. These organization-wide guardrails do not replace your existing fine-grained access controls. Instead, they help improve your security strategy by ensuring that all AWS Identity and Access Management (IAM) users, roles, and resources adhere to a set of defined security standards. 4 | 5 | * **Trusted identities**: Principals (IAM roles or users) within your AWS accounts, or AWS services acting on your behalf. 6 | 7 | * **Trusted resources**: Resources owned by your AWS accounts or by AWS services acting on your behalf. 8 | 9 | * **Expected networks**: Your on-premises data centers and virtual private clouds (VPCs), or networks of AWS services acting on your behalf. 10 | 11 | * **Policies** : Please visit [data perimeter repository](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/resource_control_policies) for policy examples. 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community. 4 | 5 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary information to effectively respond to your bug report or contribution. 6 | 7 | 8 | ## Reporting Bugs/Feature Requests 9 | 10 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 11 | 12 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 13 | 14 | * A reproducible test case or series of steps 15 | * The version of our code being used 16 | * Any modifications you've made relevant to the bug 17 | * Anything unusual about your environment or deployment 18 | 19 | 20 | ## Contributing via Pull Requests 21 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 22 | 23 | 1. You are working against the latest source on the *main* branch. 24 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 25 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 26 | 27 | To send us a pull request, please: 28 | 29 | 1. Fork the repository. 30 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 31 | 3. Ensure local tests pass. 32 | 4. Commit to your fork using clear commit messages. 33 | 5. Send us a pull request, answering any default questions in the pull request interface. 34 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 35 | 36 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 37 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 38 | 39 | 40 | ## Finding contributions to work on 41 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 42 | 43 | 44 | ## Code of Conduct 45 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 46 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 47 | opensource-codeofconduct@amazon.com with any additional questions or comments. 48 | 49 | 50 | ## Security issue notifications 51 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 52 | 53 | 54 | ## Licensing 55 | 56 | See the [LICENSE](LICENSE-SUMMARY) file for our project's licensing. We will ask you to confirm the licensing of your contribution. -------------------------------------------------------------------------------- /Service-specific-controls/README.md: -------------------------------------------------------------------------------- 1 | ## Service specific controls 2 | 3 | * Controls that define baseline security requirements or guidelines that are implemented across individual AWS services to ensure a standardized approach to security and compliance. 4 | 5 | **Note**: Some controls in this section can be implemented using either service control policies (SCPs) or resource control policies (RCPs) as mentioned in the rationale column next to the policy. Note that SCPs affect only IAM principals that are managed by accounts that are part of the organization. RCPs impact the effective permissions of principals trying to access resources in a member account with an applicable RCP, regardless of whether the principals belong to the same organizations or not. 6 | 7 | **Amazon Simple Storage Service (S3)** 8 | 9 | | Included Policy | Rationale | 10 | |-------------|-------------| 11 | |[Enforce TLS version](S3-Enforce-TLS-version.json) | Require a minimum TLS version of 1.2 for access to S3 buckets.| 12 | |[Deny users from deleting Amazon S3 Buckets or objects](S3-Deny-users-from-deleting-Amazon-S3-Buckets-or-objects.json) | Restrict users or roles in any affected account from deleting S3 bucket or objects. This control can be implemented using either SCP or RCP.| 13 | |[Deny ACL disablement for all new buckets (bucket owner enforced)](S3-Deny-ACL-disablement-for-all-new-buckets-(bucket-owner-enforced).json)| Require that all new buckets are created with ACLs disabled. Note: When you apply this setting, ACLs are disabled and you automatically own and have full control over all objects in your bucket. This control can be implemented using either SCP or RCP.| 14 | |[Deny users from modifying S3 Block Public Access (Account-Level)](S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access Account level settings.Note: When you apply block public access settings to an account, the settings apply to all AWS Regions globally. This control can be implemented using either SCP or RCP.| 15 | |[Prevent S3 buckets from being made public (Bucket level)](S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access bucket level settings. This control can be implemented using either SCP or RCP.| 16 | |[Prevents usage of customer-provided encryption keys (SSE-C) for S3 buckets (Bucket level)](S3-Deny-SSE-C.json) |Deny the use of customer-provided encryption keys (SSE-C) across the organization. This security measure helps ensure all S3 bucket encryption remains under organizational control by denying the use of S3 with SSE-C.| 17 | |[Prevents long term presigned URLs](S3-Prevent-long-term-presigned-url.json) |Deny the use of presigned URL with a signature age greater than the configured expiration time.| 18 | 19 | 20 | **AWS Key Management Service (KMS)** 21 | 22 | | Included Policy | Rationale | 23 | |-------------|-------------| 24 | |[Require an AWS Key Management Service key policy limiting creation of AWS KMS grants to AWS services](KMS-Require-an-AWS-Key-Management-Service-key-policy-limiting-creation-of-AWS-KMS-grants-to-AWS-services.json) |Prevent grants from being assigned directly to principals other than AWS service principals to reduce the opportunities for grant misuse.| 25 | |[Deny AWS Key Management Service asymmetric key with RSA key material with key length of 2048 bits](KMS-Deny-AWS-Key-Management-Service-asymmetric-key-with-RSA-key-material-used-for-encryption-with-key-length-of-2048-bits.json) |Stronger RSA keys (3072-bit or 4096-bit) are recommended to provide better security.| 26 | |[Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled](KMS-Require-that-an-AWS-KMS-key-is-configured-with-the-bypass-policy-lockout-safety-check-enabled.json) |Deny bypassing the KMS key policy lockout safety check when creating a KMS key or updating its key policy, because bypassing this check increases the risk that a KMS key becomes unmanageable.| 27 | |[Deny the accidental or intentional deletion of a KMS key and only allow specific roles to delete KMS keys.](KMS-Deny-the-accidental-or-intentional-deletion-of-a-KMS-key-and-only-allow-specific-roles-to-delete-KMS-keys.json)|Deny the accidental or intentional deletion of a KMS key and only allow specific roles to delete KMS keys.| 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Resource Control Policy examples 2 | ------------------------------------------------------------------------------ 3 | 4 | **The resource control policies in this repository are shown as examples. You should not attach RCPs without thoroughly testing the impact that the policy has on resources in your accounts. Once you have a policy ready that you would like to implement, we recommend testing in a separate organization or OU that can represent your production environment. Once tested, you should deploy changes to test OUs and then progressively deploy the changes to a broader set of OUs over time.** 5 | 6 | [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) are meant to be used as coarse-grained preventative controls, and they don’t grant access. You must still attach [identity-based or resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) to IAM principals or resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between the SCP/RCP and an identity policy or the SCP/RCP and a resource policy. You can get more details about RCP effects on permissions [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-effects-on-permissions). 7 | 8 | A [Resource control policy (RCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html), when attached to an AWS organization root, organization unit, or an account offers a central control over the maximum available permissions for resources in your organization, organization unit or an account. As an RCP can be applied at multiple levels in an AWS organization, understanding how [RCPs are evaluated](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_evaluation.html) can help you write RCPs that yield the expected outcome. 9 | 10 | We recommend that you organize accounts using [OUs based on function](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/benefits-of-using-ous.html#group-similar-accounts-based-on-function), compliance requirements, or a common set of controls rather than mirroring your organization’s reporting structure. For more details, reference: [Design principles for your multi-account strategy.](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/design-principles-for-your-multi-account-strategy.html) 11 | 12 | 13 | 14 | 15 | 16 | ## This repository 17 | ------------------------------------------------------------------------------ 18 | The example policies are divided into different categories based on the type of control. These examples do not represent a complete list and are intended for you to tailor and extend to suit the needs of your environment. This folder contains examples of RCPs that help enforce controls on [services supported by RCPs.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-supported-services) 19 | 20 | **Note**: The [RCPFullAWSAccess](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_examples.html#example-rcp-full-aws-access) policy is automatically attached to the organization root, every OU, and every account in your organization, when you enable resource control policies (RCPs). This default RCP allows all principals and actions access to pass through RCP evaluation. You can make use of Deny statements to restrict access to resources in your organization. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies. 21 | 22 | **Note**: Some of the controls in this repository can be implemented using either service control policies (SCPs) or resource control policies (RCPs). Note that SCPs affect only IAM principals that are managed by accounts that are part of the organization. RCPs impact the effective permissions of principals trying to access resources in a member account with an applicable RCP, regardless of whether the principals belong to the same organizations or not. 23 | 24 | * **[Data perimeter guardrails](https://github.com/aws-samples/data-perimeter-policy-examples)** : Enforce preventive controls that help ensure only your trusted identities are accessing trusted resources from expected networks. 25 | 26 | * **[Establish intra-organization boundaries](Establish-intra-organization-boundaries/README.md)**: Controls that define boundaries and access controls between different organization units within your organization. 27 | 28 | * **[Restrict resource access patterns](Restrict-resource-access-patterns/README.md)**: Controls that enforce specific rules on the methods used to access your organization's resources, ensuring that only compliant access patterns are permitted. 29 | 30 | * **[Limit access to trusted OIDC identity providers](Limit-access-to-trusted-OIDC-identity-providers/README.md)** : Controls that govern the authorization mechanisms used by external OIDC identity providers (IdPs) to grant access to your organization's resources. 31 | 32 | * **[Service specific controls](Service-specific-controls/README.md)**: Controls that define baseline security requirements or guidelines that are implemented across individual AWS services to ensure a standardized approach to security and compliance. 33 | 34 | 35 | 36 | 37 | 38 | ## Top RCPs to get started with 39 | ------------------------------------------------------------------------------ 40 | 41 | If you are just starting to implement RCPs in your environment, consider our top recommended RCPs. 42 | 43 | * [Only trusted identities can access my resources (Identity perimeter objective).](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/resource_control_policies/identity_perimeter_rcp.json) 44 | * [Restrict access to only HTTPS connections to your resources.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_examples.html#example-rcp-enforce-ssl) 45 | * [Limit access to trusted OIDC identity providers (If applicable)](Limit-access-to-trusted-OIDC-identity-providers/Limit-access-to-trusted-OIDC-identity-providers.md) 46 | 47 | 48 | 49 | ## Documentation links 50 | ------------------------------------------------------------------------------ 51 | 52 | * [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) 53 | 54 | * [Blog: Introducing resource control policies (RCPs), a new type of authorization policy in AWS Organizations](https://aws.amazon.com/blogs/aws/introducing-resource-control-policies-rcps-a-new-authorization-policy/) 55 | 56 | * [Blog: Enforcing enterprise-wide preventive controls with AWS Organizations](https://aws.amazon.com/blogs/mt/enforcing-enterprise-wide-preventive-controls-with-aws-organizations/) 57 | 58 | * [Data perimeters on AWS](https://aws.amazon.com/identity/data-perimeters-on-aws/) 59 | 60 | 61 | ## Security 62 | See [CONTRIBUTING](CONTRIBUTING.md) for more information. 63 | 64 | ## License 65 | This library is licensed under the MIT-0 License. See the LICENSE file. 66 | -------------------------------------------------------------------------------- /Limit-access-to-trusted-OIDC-identity-providers/README.md: -------------------------------------------------------------------------------- 1 | ## Limit access to trusted OIDC Identity provider 2 | 3 | * OIDC federation can be used to give temporary security credentials to users who have been authenticated through an OpenID Connect compatible identity provider (IdP) to an IAM OpenID Connect (OIDC) identity provider in your AWS environment. This section outlines control examples that govern the authorization mechanisms used by external OIDC identity providers (IdPs) to grant access to your organization's resources. 4 | 5 | 6 | | Service Provider | Rationale | 7 | |-------------|-------------| 8 | |[Enforce trusted OIDC providers](https://github.com/aws-samples/data-perimeter-policy-examples/blob/4bc433ff6c4721049fc2eb542c89246343b5fb8a/resource_control_policies/identity_perimeter_rcp.json#L55C19-L55C49) | Limit access to sts:AssumeRoleWithWebIdentity to only federated identities associated with a specific OIDC provider.| 9 | |[Enforce trusted OIDC tenants](https://github.com/aws-samples/data-perimeter-policy-examples/blob/4bc433ff6c4721049fc2eb542c89246343b5fb8a/resource_control_policies/identity_perimeter_rcp.json#L39C19-L39C44) | Limit access to sts:AssumeRoleWithWebIdentity to only federated identities originating from your tenant of a trusted multi-tenant OIDC provider. | 10 | |[Enforce only trusted GitHub Organizations when using Github's default issuer](GitHub-Actions.json) | Help ensure that only repositories and jobs from your tenant within the github's SaaS environment can assume roles in your AWS accounts using `AssumeRoleWithWebIdentity`. This control is effective when you're using the default issuer URL shared by all github enviroments of `tokens.actions.githubusercontent.com` and uses part of the "sub" (subject) claim value to identify which tenant a given token calling `AssumeRoleWithWebIdentity` belongs to. For example, you can use StringLike`"repo:/*"`replacing with the expected value of your "enterprise slug" to deny access to your AWS accounts from github actions, except when the github action belongs to your tenant of github.| 11 | |[Deny the built in web identity providers (e.g., Facebook, Google, Login with Amazon, Cognito)](Deny-built-in-web-identity-providers.json) | Deny the four built-in web identity providers (Google, Facebook, AWS Cognito and Login with Amazon) from assuming roles in your AWS accounts using `AssumeRoleWithWebIdentity`. | 12 | 13 | 14 | 15 | ### Specific example controls for tenancy within multi-tenant OIDC providers with a shared issuer URL 16 | 17 | [Enforce only specific tenants within providers with a shared issuer URL](Shared-Issuers.json) 18 | 19 | Some third party services that integrate with AWS using OIDC use a shared "issuer" (iss) URL for all their tenants within their service. The use of a shared issuer URL means that IAM roles configured to use these third party services' OIDC integrations require checks with condition keys in their role trust policies to ensure that other tenants from those third party services beyond what you intend cannot assume your IAM roles and access your AWS resources. 20 | 21 | These example RCP statements when applied help ensure that only your tenant from these third party services that integrate with AWS using OIDC can assume your roles and access your resources, even when a role trust policy is misconfigured and is not checking for the tenancy. The [sample policy](Shared-Issuers.json) has one statement per a service's issuer URL with the example controls based on their documentation to help ensure that only your tenant from their platform can assume your IAM roles. The placeholder value to identify tenancy with these services located within the angle brackets, "<>" , is the term used by each services' documentation. To use the [sample policy](Shared-Issuers.json), you only need to use the statements for the third party services that you wish to use in your AWS organization. 22 | 23 | 24 | Here is a list of the service providers covered in this sample, and their documentation: 25 | 26 | 27 | | Provider | Documentation | Issuer/OIDC Provider URL | Policy Statement in [Shared-Issuers.json](Shared-Issuers.json) | 28 | |-----------------------------------|------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|----------------------------------------------------------------| 29 | | Terraform Cloud | [Terraform Docs](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/aws-configuration) | https://app.terraform.io | EnforceTrustedOIDCTenantTerraformCloud| 30 | | GitLab | [GitLab Docs](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
[ID Token Auth](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html) | https://gitlab.com | EnforceTrustedOIDCTenantGitLabCLoud| 31 | | IBM Turbonomic SaaS | [IBM Docs](https://www.ibm.com/docs/en/tarm/8.13.0?topic=suaiuir-setting-up-aws-iam-role-turbonomic-saas-deployments)
[IBM Docs](https://www.ibm.com/docs/en/tarm/8.14.6?topic=turbonomic-setting-up-aws-iam-role-saas-deployments)
[Support Page](https://www.ibm.com/support/pages/turbonomic-saas-iam-role-setup) | https://rh-oidc.s3.us-east-1.amazonaws.com/22ejnvnnturfmt6km08idd0nt4hekbn7
https://rh-oidc.s3.us-east-1.amazonaws.com/23e3sd27sju1hoou6ohfs68vbno607tr
https://rh-oidc.s3.us-east-1.amazonaws.com/23ne21h005qjl3n33d8dui5dlrmv2tmg
https://rh-oidc.s3.us-east-1.amazonaws.com/24jrf12m5dj7ljlfb4ta2frhrcoadm26
https://oidc.op1.openshiftapps.com/2f785sojlpb85i7402pk3qogugim5nfb
https://oidc.op1.openshiftapps.com/2c51blsaqa9gkjt0o9rt11mle8mmropu |EnforceTrustedOIDCTenantIbmTurboNomic1
EnforceTrustedOIDCTenantIbmTurboNomic2
EnforceTrustedOIDCTenantIbmTurboNomic3
EnforceTrustedOIDCTenantIbmTurboNomic4
EnforceTrustedOIDCTenantIbmTurboNomic5
EnforceTrustedOIDCTenantIbmTurboNomic6
| 32 | | Shisho.dev | [Shisho Docs](https://shisho.dev/docs/g/getting-started/integrate-apps/aws/) | https://tokens.cloud.shisho.dev | EnforceTrustedOIDCTenantShishoDev| 33 | | Scalr | [Scalr Docs](https://docs.scalr.io/docs/aws) | https://scalr.io | EnforceTrustedOIDCTenantScalr | 34 | | GitHub Audit Log Streaming | [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-amazon-s3) | https://oidc-configuration.audit-log.githubusercontent.com | EnforceTrustedOIDCTenantGithubLogStreaming | 35 | | Pulumi | [Pulumi Docs](https://www.pulumi.com/docs/pulumi-cloud/oidc/provider/aws/) | https://api.pulumi.com | EnforceTrustedOIDCTenantPulumi | 36 | | Buildkite | [Buildkite Docs](https://buildkite.com/docs/agent/v3/cli-oidc) | https://agent.buildkite.com |EnforceTrustedOIDCTenantBuildKite | 37 | | Upbound | [Upbound Docs](https://docs.upbound.io/all-spaces/legacy-spaces/multicloud-deploy/) | https://proidc.upbound.io | EnforceTrustedOIDCTenantUpbound| 38 | | GitHub Actions - Self Hosted Runners | [GitHub Actions Docs](https://github.com/actions/runner/blob/main/docs/checks/actions.md) | https://vstoken.actions.githubusercontent.com | EnforceTrustedOIDCTenantGithubActionsSelfHosted| 39 | | Vercel | [Vercel Docs](https://vercel.com/docs/security/secure-backend-access/oidc/reference) | https://oidc.vercel.com | EnforceTrustedOIDCTenantVercel| 40 | | Sandboxes.cloud | [Sandboxes Docs](https://docs.sandboxes.cloud/docs/cloud-resources-setup) | https://sandboxes.cloud | EnforceTrustedOIDCTenantSandBoxes| 41 | | Datachain.ai | [Datachain Docs](https://dvc.org/doc/studio/user-guide/openid-connect) | https://studio.datachain.ai/api | EnforceTrustedOIDCTenantDataChain | 42 | | Codefresh | [Codefresh Docs](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | https://oidc.codefresh.io | EnforceTrustedOIDCTenantCodeFresh | 43 | 44 | This list may not include all possible third party service providers that use a shared issuer URL with their OIDC integration to access AWS accounts. Please review all relevant documentation from your service providers to ensure your security objectives are met when configuring an OIDC integration to AWS from your third party service providers. 45 | 46 | Please note this sample with all providers, and all the included whitespace is larger than the RCP size limit. You can reduce the size of the policy by removing statements for unneeded providers and removing whitespace. 47 | -------------------------------------------------------------------------------- /Limit-access-to-trusted-OIDC-identity-providers/Shared-Issuers.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "EnforceTrustedOIDCTenantTerraformCloud", 6 | "Effect": "Deny", 7 | "Principal": "*", 8 | "Action": "sts:AssumeRoleWithWebIdentity", 9 | "Resource": "*", 10 | "Condition": { 11 | "StringNotLikeIfExists": { 12 | "app.terraform.io:sub": "organization::*" 13 | }, 14 | "Null": { 15 | "app.terraform.io:sub": "false" 16 | } 17 | } 18 | }, 19 | { 20 | "Sid": "EnforceTrustedOIDCTenantGitLabCLoud", 21 | "Effect": "Deny", 22 | "Principal": "*", 23 | "Action": "sts:AssumeRoleWithWebIdentity", 24 | "Resource": "*", 25 | "Condition": { 26 | "StringNotLikeIfExists": { 27 | "gitlab.com:sub": "project_path:/*" 28 | }, 29 | "Null": { 30 | "gitlab.com:sub": "false" 31 | } 32 | } 33 | }, 34 | { 35 | "Sid": "EnforceTrustedOIDCTenantIbmTurboNomic1", 36 | "Effect": "Deny", 37 | "Principal": "*", 38 | "Action": "sts:AssumeRoleWithWebIdentity", 39 | "Resource": "*", 40 | "Condition": { 41 | "StringNotLikeIfExists": { 42 | "rh-oidc.s3.us-east-1.amazonaws.com/22ejnvnnturfmt6km08idd0nt4hekbn7:sub": "system:serviceaccount::*" 43 | }, 44 | "Null": { 45 | "rh-oidc.s3.us-east-1.amazonaws.com/22ejnvnnturfmt6km08idd0nt4hekbn7:sub": "false" 46 | } 47 | } 48 | }, 49 | { 50 | "Sid": "EnforceTrustedOIDCTenantIbmTurboNomic2", 51 | "Effect": "Deny", 52 | "Principal": "*", 53 | "Action": "sts:AssumeRoleWithWebIdentity", 54 | "Resource": "*", 55 | "Condition": { 56 | "StringNotLikeIfExists": { 57 | "rh-oidc.s3.us-east-1.amazonaws.com/23e3sd27sju1hoou6ohfs68vbno607tr:sub": "system:serviceaccount::*" 58 | }, 59 | "Null": { 60 | "rh-oidc.s3.us-east-1.amazonaws.com/23e3sd27sju1hoou6ohfs68vbno607tr:sub": "false" 61 | } 62 | } 63 | }, 64 | { 65 | "Sid": "EnforceTrustedOIDCTenantIbmTurboNomic3", 66 | "Effect": "Deny", 67 | "Principal": "*", 68 | "Action": "sts:AssumeRoleWithWebIdentity", 69 | "Resource": "*", 70 | "Condition": { 71 | "StringNotLikeIfExists": { 72 | "rh-oidc.s3.us-east-1.amazonaws.com/23ne21h005qjl3n33d8dui5dlrmv2tmg:sub": "system:serviceaccount::*" 73 | }, 74 | "Null": { 75 | "rh-oidc.s3.us-east-1.amazonaws.com/23ne21h005qjl3n33d8dui5dlrmv2tmg:sub": "false" 76 | } 77 | } 78 | }, 79 | { 80 | "Sid": "EnforceTrustedOIDCTenantIbmTurboNomic4", 81 | "Effect": "Deny", 82 | "Principal": "*", 83 | "Action": "sts:AssumeRoleWithWebIdentity", 84 | "Resource": "*", 85 | "Condition": { 86 | "StringNotLikeIfExists": { 87 | "rh-oidc.s3.us-east-1.amazonaws.com/24jrf12m5dj7ljlfb4ta2frhrcoadm26:sub": "system:serviceaccount::*" 88 | }, 89 | "Null": { 90 | "rh-oidc.s3.us-east-1.amazonaws.com/24jrf12m5dj7ljlfb4ta2frhrcoadm26:sub": "false" 91 | } 92 | } 93 | }, 94 | { 95 | "Sid": "EnforceTrustedOIDCTenantIbmTurboNomic5", 96 | "Effect": "Deny", 97 | "Principal": "*", 98 | "Action": "sts:AssumeRoleWithWebIdentity", 99 | "Resource": "*", 100 | "Condition": { 101 | "StringNotLikeIfExists": { 102 | "oidc.op1.openshiftapps.com/2f785sojlpb85i7402pk3qogugim5nfb:sub": "system:serviceaccount::*" 103 | }, 104 | "Null": { 105 | "oidc.op1.openshiftapps.com/2f785sojlpb85i7402pk3qogugim5nfb:sub": "false" 106 | } 107 | } 108 | }, 109 | { 110 | "Sid": "EnforceTrustedOIDCTenantIbmTurboNomic6", 111 | "Effect": "Deny", 112 | "Principal": "*", 113 | "Action": "sts:AssumeRoleWithWebIdentity", 114 | "Resource": "*", 115 | "Condition": { 116 | "StringNotLikeIfExists": { 117 | "oidc.op1.openshiftapps.com/2c51blsaqa9gkjt0o9rt11mle8mmropu:sub": "system:serviceaccount::*" 118 | }, 119 | "Null": { 120 | "oidc.op1.openshiftapps.com/2c51blsaqa9gkjt0o9rt11mle8mmropu:sub": "false" 121 | } 122 | } 123 | }, 124 | { 125 | "Sid": "EnforceTrustedOIDCTenantShishoDev", 126 | "Effect": "Deny", 127 | "Principal": "*", 128 | "Action": "sts:AssumeRoleWithWebIdentity", 129 | "Resource": "*", 130 | "Condition": { 131 | "StringNotLikeIfExists": { 132 | "tokens.cloud.shisho.dev:sub": "job::*" 133 | }, 134 | "Null": { 135 | "tokens.cloud.shisho.dev:sub": "false" 136 | } 137 | } 138 | }, 139 | { 140 | "Sid": "EnforceTrustedOIDCTenantScalr", 141 | "Effect": "Deny", 142 | "Principal": "*", 143 | "Action": "sts:AssumeRoleWithWebIdentity", 144 | "Resource": "*", 145 | "Condition": { 146 | "StringNotLikeIfExists": { 147 | "scalr.io:sub": "account::*" 148 | }, 149 | "Null": { 150 | "scalr.io:sub": "false" 151 | } 152 | } 153 | }, 154 | { 155 | "Sid": "EnforceTrustedOIDCTenantGithubLogStreaming", 156 | "Effect": "Deny", 157 | "Principal": "*", 158 | "Action": "sts:AssumeRoleWithWebIdentity", 159 | "Resource": "*", 160 | "Condition": { 161 | "StringNotEqualsIfExists": { 162 | "oidc-configuration.audit-log.githubusercontent.com:sub": "https://github.com/" 163 | }, 164 | "Null": { 165 | "oidc-configuration.audit-log.githubusercontent.com:sub": "false" 166 | } 167 | } 168 | }, 169 | { 170 | "Sid": "EnforceTrustedOIDCTenantPulumi", 171 | "Effect": "Deny", 172 | "Principal": "*", 173 | "Action": "sts:AssumeRoleWithWebIdentity", 174 | "Resource": "*", 175 | "Condition": { 176 | "StringNotLikeIfExists": { 177 | "api.pulumi.com:sub": "pulumi:*:org::*" 178 | }, 179 | "Null": { 180 | "api.pulumi.com:sub": "false" 181 | } 182 | } 183 | }, 184 | { 185 | "Sid": "EnforceTrustedOIDCTenantBuildKite", 186 | "Effect": "Deny", 187 | "Principal": "*", 188 | "Action": "sts:AssumeRoleWithWebIdentity", 189 | "Resource": "*", 190 | "Condition": { 191 | "StringNotLikeIfExists": { 192 | "agent.buildkite.com:sub": "organization::*" 193 | }, 194 | "Null": { 195 | "agent.buildkite.com:sub": "false" 196 | } 197 | } 198 | }, 199 | { 200 | "Sid": "EnforceTrustedOIDCTenantUpbound", 201 | "Effect": "Deny", 202 | "Principal": "*", 203 | "Action": "sts:AssumeRoleWithWebIdentity", 204 | "Resource": "*", 205 | "Condition": { 206 | "StringNotLikeIfExists": { 207 | "proidc.upbound.io:sub": "mcp::*" 208 | }, 209 | "Null": { 210 | "proidc.upbound.io:sub": "false" 211 | } 212 | } 213 | }, 214 | { 215 | "Sid": "EnforceTrustedOIDCTenantGithubActionsSelfHosted", 216 | "Effect": "Deny", 217 | "Principal": "*", 218 | "Action": "sts:AssumeRoleWithWebIdentity", 219 | "Resource": "*", 220 | "Condition": { 221 | "StringNotLikeIfExists": { 222 | "vstoken.actions.githubusercontent.com:sub": "repo:/*" 223 | }, 224 | "Null": { 225 | "vstoken.actions.githubusercontent.com:sub": "false" 226 | } 227 | } 228 | }, 229 | { 230 | "Sid": "EnforceTrustedOIDCTenantVercel", 231 | "Effect": "Deny", 232 | "Principal": "*", 233 | "Action": "sts:AssumeRoleWithWebIdentity", 234 | "Resource": "*", 235 | "Condition": { 236 | "StringNotLikeIfExists": { 237 | "oidc.vercel.com:sub": "owner::*" 238 | }, 239 | "Null": { 240 | "oidc.vercel.com:sub": "false" 241 | } 242 | } 243 | }, 244 | { 245 | "Sid": "EnforceTrustedOIDCTenantSandBoxes", 246 | "Effect": "Deny", 247 | "Principal": "*", 248 | "Action": "sts:AssumeRoleWithWebIdentity", 249 | "Resource": "*", 250 | "Condition": { 251 | "StringNotEqualsIfExists": { 252 | "sandboxes.cloud:aud": "" 253 | }, 254 | "Null": { 255 | "sandboxes.cloud:aud": "false" 256 | } 257 | } 258 | }, 259 | { 260 | "Sid": "EnforceTrustedOIDCTenantDataChain", 261 | "Effect": "Deny", 262 | "Principal": "*", 263 | "Action": "sts:AssumeRoleWithWebIdentity", 264 | "Resource": "*", 265 | "Condition": { 266 | "StringNotLikeIfExists": { 267 | "studio.datachain.ai/api:sub": "credentials:/*" 268 | }, 269 | "Null": { 270 | "studio.datachain.ai/api:sub": "false" 271 | } 272 | } 273 | }, 274 | { 275 | "Sid": "EnforceTrustedOIDCTenantCodeFresh", 276 | "Effect": "Deny", 277 | "Principal": "*", 278 | "Action": "sts:AssumeRoleWithWebIdentity", 279 | "Resource": "*", 280 | "Condition": { 281 | "StringNotLikeIfExists": { 282 | "oidc.codefresh.io:sub": "account::*" 283 | }, 284 | "Null": { 285 | "oidc.codefresh.io:sub": "false" 286 | } 287 | } 288 | } 289 | ] 290 | } 291 | --------------------------------------------------------------------------------