├── .github
    └── workflows
    │   └── main.yml
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── Data-perimeter-guardrails
    └── README.md
├── Establish-intra-organization-boundaries
    ├── Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json
    ├── Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json
    └── README.md
├── LICENSE
├── LICENSE-SUMMARY
├── Limit-access-to-trusted-OIDC-identity-providers
    ├── Deny-built-in-web-identity-providers.json
    ├── GitHub-Actions.json
    ├── README.md
    └── Shared-Issuers.json
├── README.md
├── Restrict-resource-access-patterns
    ├── README.md
    └── Restrict-access-to-only-HTTPS-connections-to-your-resources.json
└── Service-specific-controls
    ├── KMS-Deny-AWS-Key-Management-Service-asymmetric-key-with-RSA-key-material-used-for-encryption-with-key-length-of-2048-bits.json
    ├── KMS-Deny-the-accidental-or-intentional-deletion-of-a-KMS-key-and-only-allow-specific-roles-to-delete-KMS-keys.json
    ├── KMS-Require-an-AWS-Key-Management-Service-key-policy-limiting-creation-of-AWS-KMS-grants-to-AWS-services.json
    ├── KMS-Require-that-an-AWS-KMS-key-is-configured-with-the-bypass-policy-lockout-safety-check-enabled.json
    ├── README.md
    ├── S3-Deny-ACL-disablement-for-all-new-buckets-(bucket-owner-enforced).json
    ├── S3-Deny-SSE-C.json
    ├── S3-Deny-users-from-deleting-Amazon-S3-Buckets-or-objects.json
    ├── S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json
    ├── S3-Enforce-TLS-version.json
    ├── S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json
    └── S3-Prevent-long-term-presigned-url.json


/.github/workflows/main.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/.github/workflows/main.yml


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/CODE_OF_CONDUCT.md


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/CONTRIBUTING.md


--------------------------------------------------------------------------------
/Data-perimeter-guardrails/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Data-perimeter-guardrails/README.md


--------------------------------------------------------------------------------
/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json


--------------------------------------------------------------------------------
/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json


--------------------------------------------------------------------------------
/Establish-intra-organization-boundaries/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Establish-intra-organization-boundaries/README.md


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/LICENSE


--------------------------------------------------------------------------------
/LICENSE-SUMMARY:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/LICENSE-SUMMARY


--------------------------------------------------------------------------------
/Limit-access-to-trusted-OIDC-identity-providers/Deny-built-in-web-identity-providers.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Limit-access-to-trusted-OIDC-identity-providers/Deny-built-in-web-identity-providers.json


--------------------------------------------------------------------------------
/Limit-access-to-trusted-OIDC-identity-providers/GitHub-Actions.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Limit-access-to-trusted-OIDC-identity-providers/GitHub-Actions.json


--------------------------------------------------------------------------------
/Limit-access-to-trusted-OIDC-identity-providers/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Limit-access-to-trusted-OIDC-identity-providers/README.md


--------------------------------------------------------------------------------
/Limit-access-to-trusted-OIDC-identity-providers/Shared-Issuers.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Limit-access-to-trusted-OIDC-identity-providers/Shared-Issuers.json


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/README.md


--------------------------------------------------------------------------------
/Restrict-resource-access-patterns/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Restrict-resource-access-patterns/README.md


--------------------------------------------------------------------------------
/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json


--------------------------------------------------------------------------------
/Service-specific-controls/KMS-Deny-AWS-Key-Management-Service-asymmetric-key-with-RSA-key-material-used-for-encryption-with-key-length-of-2048-bits.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/KMS-Deny-AWS-Key-Management-Service-asymmetric-key-with-RSA-key-material-used-for-encryption-with-key-length-of-2048-bits.json


--------------------------------------------------------------------------------
/Service-specific-controls/KMS-Deny-the-accidental-or-intentional-deletion-of-a-KMS-key-and-only-allow-specific-roles-to-delete-KMS-keys.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/KMS-Deny-the-accidental-or-intentional-deletion-of-a-KMS-key-and-only-allow-specific-roles-to-delete-KMS-keys.json


--------------------------------------------------------------------------------
/Service-specific-controls/KMS-Require-an-AWS-Key-Management-Service-key-policy-limiting-creation-of-AWS-KMS-grants-to-AWS-services.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/KMS-Require-an-AWS-Key-Management-Service-key-policy-limiting-creation-of-AWS-KMS-grants-to-AWS-services.json


--------------------------------------------------------------------------------
/Service-specific-controls/KMS-Require-that-an-AWS-KMS-key-is-configured-with-the-bypass-policy-lockout-safety-check-enabled.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/KMS-Require-that-an-AWS-KMS-key-is-configured-with-the-bypass-policy-lockout-safety-check-enabled.json


--------------------------------------------------------------------------------
/Service-specific-controls/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/README.md


--------------------------------------------------------------------------------
/Service-specific-controls/S3-Deny-ACL-disablement-for-all-new-buckets-(bucket-owner-enforced).json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/S3-Deny-ACL-disablement-for-all-new-buckets-(bucket-owner-enforced).json


--------------------------------------------------------------------------------
/Service-specific-controls/S3-Deny-SSE-C.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/S3-Deny-SSE-C.json


--------------------------------------------------------------------------------
/Service-specific-controls/S3-Deny-users-from-deleting-Amazon-S3-Buckets-or-objects.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/S3-Deny-users-from-deleting-Amazon-S3-Buckets-or-objects.json


--------------------------------------------------------------------------------
/Service-specific-controls/S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json


--------------------------------------------------------------------------------
/Service-specific-controls/S3-Enforce-TLS-version.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/S3-Enforce-TLS-version.json


--------------------------------------------------------------------------------
/Service-specific-controls/S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json


--------------------------------------------------------------------------------
/Service-specific-controls/S3-Prevent-long-term-presigned-url.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/resource-control-policy-examples/HEAD/Service-specific-controls/S3-Prevent-long-term-presigned-url.json


--------------------------------------------------------------------------------