├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 Infralicious
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Awesome AWS Control Policies and Guard Rails
 2 | 
 3 | Awesome AWS service control policies (SCPs), resource control policies (RCPs), and organizational policies in general (service control, resource control, declarative, ai opt out, backup, tagging, budgets, etc)
 4 | 
 5 | Inspired by many other awesome lists!
 6 | 
 7 | ## terraform modules
 8 | 
 9 | ### service control policies
10 | 
11 | - [ScaleSec/terraform_aws_scp](https://github.com/ScaleSec/terraform_aws_scp)
12 | - [trussworks/terraform-aws-ou-scp](https://github.com/trussworks/terraform-aws-ou-scp)
13 | - [cloudposse/terraform-aws-service-control-policies](https://github.com/cloudposse/terraform-aws-service-control-policies)
14 | - [Appsilon/terraform-aws-ou-scp](https://github.com/Appsilon/terraform-aws-ou-scp)
15 | - [timurgaleev/terraform-aws-organization-scp](https://github.com/timurgaleev/terraform-aws-organization-scp)
16 | - [welldone-cloud/aws-scps-for-sandbox-and-training-accounts](https://github.com/welldone-cloud/aws-scps-for-sandbox-and-training-accounts/)
17 | - [latacora/latacora-service-control-policies](https://github.com/latacora/latacora-service-control-policies/tree/master/policy-groups)
18 | 
19 | ### IAM helpers
20 | 
21 | - [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.63.1/docs/data-sources/iam_policy_document#minified_json) - Useful terraform data source to build a policy and minify it using attribute `minified_json`. For example `data.aws_iam_policy_document.default.minified_json`.
22 | - [phzietsman/terraform-aws-policy-packer](https://github.com/phzietsman/terraform-aws-policy-packer) - reduce size of IAM policy
23 | 
24 | ## policy stores
25 | 
26 | - https://www.cloudguardrails.com
27 | - [primeharbor/aws-service-control-policies](https://github.com/primeharbor/aws-service-control-policies)
28 | - https://asecure.cloud/l/scp/
29 | - https://github.com/aws-samples/resource-control-policy-examples
30 | - https://github.com/aws-samples/service-control-policy-examples
31 | 
32 | ## reference architecture
33 | 
34 | - [aws-samples/aws-scps-with-terraform](https://github.com/aws-samples/aws-scps-with-terraform)
35 | 
36 | ## blogs
37 | 
38 | - [AWS security blog tag: service control policies](https://aws.amazon.com/blogs/security/tag/service-control-policies/)
39 | - [Dec 1 2024 - Simplify governance with declarative policies](https://aws.amazon.com/blogs/aws/simplify-governance-with-declarative-policies/)
40 | - [Nov 13 2024 - Introducing resource control policies (RCPs), a new type of authorization policy in AWS Organizations](https://aws.amazon.com/blogs/aws/introducing-resource-control-policies-rcps-a-new-authorization-policy/)
41 | - [Oct 9 2023 - What is AWS SCP (Service Control Policy) and How does it Help with Permissions?](https://www.stormit.cloud/blog/aws-scp-service-control-policy)
42 | - [Jul 29 2023 - What are AWS Service Control Policies (SCPs)](https://towardsthecloud.com/aws-scp-service-control-policies)
43 | - [Jun 17 2022 - More about AWS Service Control Policies (SCP)](https://medium.com/gft-engineering/more-about-aws-service-control-policies-scp-1588ff9bc814)
44 | - [Mar 25 2020 - AWS SCP Best Practices](https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/#creating-scps-without-breaking-things)
45 | 
46 | ## Limits
47 | 
48 | - Policies do not affect users or roles in the management/root account. They affect only the member accounts in your organization.
49 | - Policies have a maximum of 5 policies that can be attached to root/ou/account. [^1]
50 | - Policies have a maximum character limit of `5120` characters. [^1]
51 | - Policies do not affect service linked roles.
52 | - member accounts cannot query which policies are applied to them [^2]
53 | - Denied actions show that it was blocked by a service control policy but will not show which one in the error or in cloudtrail. [^2]
54 | - No audit or evaluation mode for SCPs and other policies. [^2]
55 | 
56 | ## related projects
57 | 
58 | - https://ramimac.github.io/wiki/scps/
59 | - https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/#aws-wishlist
60 | 
61 | ## references
62 | 
63 | - [List of expensive actions](https://gist.github.com/iann0036/b473bbb3097c5f4c656ed3d07b4d2222)
64 | - [ACM SCPs](https://docs.aws.amazon.com/acm/latest/userguide/acm-conditions.html)
65 | - [AWS Service Control Policy Examples](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
66 | - [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
67 | - [Terraform and OpenTofu registry search for scp](https://library.tf/modules?query=scp)
68 | 
69 | [^1]: [Quotas and service limits for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html#min-max-values)
70 | [^2]: [SummitRoute's SCP Best Practices AWS Wishlist](https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/#aws-wishlist)
71 | 


--------------------------------------------------------------------------------