aws-samples
diff --git a/‎service_control_policies/README.md‎
Lines changed: 1 addition & 1 deletion b/‎service_control_policies/README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎service_control_policies/data_perimeter_governance_scp.json‎
Lines changed: 1 addition & 0 deletions b/‎service_control_policies/data_perimeter_governance_scp.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎service_control_policies/service_specific_controls/README.md‎
Lines changed: 12 additions & 4 deletions b/‎service_control_policies/service_specific_controls/README.md‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json‎
Lines changed: 13 additions & 0 deletions b/‎service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎service_control_policies/service_specific_controls/restrict_presignedURL_scp.json‎
Lines changed: 3 additions & 1 deletion b/‎service_control_policies/service_specific_controls/restrict_presignedURL_scp.json‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json‎
Lines changed: 1 addition & 0 deletions b/‎service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json‎
Lines changed: 33 additions & 1 deletion b/‎service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json‎
Lines changed: 33 additions & 1 deletion
diff --git a/‎service_specific_guidance/backup-specific-guidance.md‎
Lines changed: 112 additions & 0 deletions b/‎service_specific_guidance/backup-specific-guidance.md‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎service_specific_guidance/cloudfront-keyvaluestore-specific-guidance.md‎
Lines changed: 45 additions & 0 deletions b/‎service_specific_guidance/cloudfront-keyvaluestore-specific-guidance.md‎
Lines changed: 45 additions & 0 deletions
@@ -160,7 +160,7 @@ Example data access patterns:
 * [Amazon DocumentDB cluster snapshots](https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore-share_cluster_snapshots.html ): You can share an Amazon Document DB manual cluster snapshot with other accounts or make them public with the `ModifyDBClusterSnapshotAttribute` API. 
 * [Amazon WorkSpaces image](https://docs.aws.amazon.com/workspaces/latest/adminguide/share-custom-image.html): You can share custom WorkSpaces images with other accounts with the `UpdateWorkspaceImagePermission` API.
 * [Amazon CloudWatch sink](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html): You can share observability data with other accounts with the `CreateLink` API.
-* [AWS Service Catalog portfolio](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html): AWS Service Catalog portfolios can be shared with other AWS accounts with the `CreatePortfolioShare` API.
+* [AWS Service Catalog portfolio](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html): AWS Service Catalog portfolios can be shared with other AWS accounts with the `CreatePortfolioShare` and `UpdatePortfolioShare` APIs.
 * [AWS Config aggregator](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html): The `PutConfigurationAggregator` API allows you to select another account to add to your AWS Config aggregator. Additionally, the `PutAggregationAuthorization` API allows you to authorize another account to collect data from your account.
 * [AWS Fault Injection experiment template](https://docs.aws.amazon.com/fis/latest/userguide/multi-account.html): You create a multi-account experiment template by specifying other accounts with the `CreateTargetAccountConfiguration` API. 
 * [AWS Global Accelerator attachment](https://docs.aws.amazon.com/global-accelerator/latest/dg/cross-account-resources.create-attachment.html): You can add a resource from another account as an endpoint for an accelerator with the `CreateCrossAccountAttachment` API.
 
@@ -49,6 +49,7 @@
             "workspaces:UpdateWorkspaceImagePermission",
             "oam:CreateLink",
             "servicecatalog:CreatePortfolioShare",
+            "servicecatalog:UpdatePortfolioShare",
             "config:PutConfigurationAggregator",
             "config:PutAggregationAuthorization",
             "fis:CreateTargetAccountConfiguration",
 
@@ -92,11 +92,11 @@ Additional considerations:
 
 This statement is included in the [restrict_idp_configurations_scp](restrict_idp_configurations_scp.json) and prevents users from making configuration changes to the IAM SAML [identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html), IAM OIDC [identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html), and [AWS IAM Roles Anywhere](https://aws.amazon.com/iam/roles-anywhere/) [trust anchors](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/getting-started.html). It also prevents creation of an [account instance of IAM Identity Center]( https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html).  
 
-###  "Sid":"PreventDeploymentCodeStarConnections"
+###  "Sid":"PreventDeploymentCodeStarConnections", "Sid": "PreventDeploymentSSMAutomationRunbook"
 
-This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and limits the use of [AWS CodeStar Connections](https://docs.aws.amazon.com/codestar-connections/latest/APIReference/Welcome.html).
+These statements are included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and limit the use of [AWS CodeStar Connections](https://docs.aws.amazon.com/codestar-connections/latest/APIReference/Welcome.html) and [AWS Systems Manager Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html).
 
-AWS services such as AWS CodeStar Connections do not support deployment within a VPC and provide direct access to the internet that is not controlled by your VPC. You can block the use of such services by using SCPs or implementing your own proxy solution to inspect egress traffic.
+AWS services such as AWS Systems Manager Automation do not support deployment within a VPC and provide direct access to the internet that is not controlled by your VPC. You can block the use of such services by using SCPs or implementing your own proxy solution to inspect egress traffic.
 
 ### "Sid":"PreventNonVPCDeploymentSageMaker", "Sid":"PreventNonVPCDeploymentGlueJob", "Sid":"PreventNonVPCDeploymentCloudShell", "Sid":"PreventNonVPCDeploymentLambda", "Sid":"PreventNonVPCDeploymentAppRunner", and "Sid":"PreventNonVPCDeploymentCodeBuild"
 
@@ -120,10 +120,18 @@ For more details, see [Connect a Notebook Instance in a VPC to External Resource
 
 This statement is included in the [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) and prevents users from subscribing email addresses that belong to domains other than the one denoted by `<trusted_email_domain>` to an SNS topic. See [Amazon SNS policy keys](https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#sns-policy-keys) for more details.
 
+### "Sid": "PreventEventBridgeAPIDestinations"
+
+This statement is included in the [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) and prevents users from using API destinations as the target for an event bus rule. See [Using IAM policy conditions in Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-conditions.html#limiting-access-to-targets) for more details.
+
+### "Sid": "PreventUntrustedStepFunctionsHTTPSAPI"
+
+This statement is included in the [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) and prevents Step Functions from invoking HTTPS APIs that don't belong to your organization. See [IAM permissions to run an HTTP Task](https://docs.aws.amazon.com/step-functions/latest/dg/call-https-apis.html#connect-http-task-permissions) for more details.
+
 ### "Sid": "PreventCreationOfServicePresignedURL"
 
 This statement is included in the [restrict_presignedURL_scp](restrict_presignedURL_scp.json) and prevents users from making API requests that return Amazon S3 presigned URLs that are presigned by a service principal.
 
 ### "Sid": "PreventResourcePolicyConfigurations"
 
-This statement is included in the [restrict_resource_policy_configurations_scp](restrict_resource_policy_configurations_scp.json) and prevents users from configuring resource-based policies for select services.
+This statement is included in the [restrict_resource_policy_configurations_scp](restrict_resource_policy_configurations_scp.json) and prevents users from configuring resource-based policies for services that are not yet supported by RCPs. See the AWS Organizations User Guide for the [List of AWS services that support RCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-supported-services).
@@ -1,6 +1,19 @@
 {
    "Version": "2012-10-17",
    "Statement": [
+      {
+         "Sid": "PreventDeploymentSSMAutomationRunbook",
+         "Effect": "Deny",
+         "Action": [
+            "ssm:StartAutomationExecution"
+         ],
+         "Resource": "*",
+         "Condition": {
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude": "true"
+            }
+         }
+      },
       {
          "Sid": "PreventDeploymentCodeStarConnections",
          "Effect": "Deny",
 
@@ -5,7 +5,9 @@
       "Sid": "PreventCreationOfServicePresignedURL",
       "Effect": "Deny",
       "Action": [
-        "lambda:GetFunction"
+        "ecr:GetDownloadUrlForLayer",
+        "lambda:GetFunction",
+        "ssm:GetDeployablePatchSnapshotForInstance"
       ],
       "Resource": "*",
       "Condition": {
 
@@ -9,6 +9,7 @@
         "codeartifact:PutDomainPermissionsPolicy",
         "codebuild:PutResourcePolicy",
         "dynamodb:PutResourcePolicy",
+        "events:PutPermission",
         "glacier:SetVaultAccessPolicy",
         "lambda:AddLayerVersionPermission",
         "lambda:AddPermission",
 
@@ -19,6 +19,38 @@
           "aws:PrincipalTag/dp:exclude:resource": "true"
         }
       }
+    },
+    {
+      "Sid": "PreventEventBridgeAPIDestinations",
+      "Effect": "Deny",
+      "Action": [
+        "events:PutTargets"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "ForAnyValue:ArnLike": {
+          "events:TargetArn": "arn:aws:events:*:*:api-destination/*"
+        },
+        "StringNotEqualsIfExists": {
+          "aws:PrincipalTag/dp:exclude:resource": "true"
+        }
+      }
+    },
+    {
+      "Sid": "PreventUntrustedStepFunctionsHTTPSAPI",
+      "Effect": "Deny",
+      "Action": [
+        "states:InvokeHTTPEndpoint"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringNotLike": {
+          "states:HTTPEndpoint": "<trusted_https_endpoint>"
+        },
+        "StringNotEqualsIfExists": {
+          "aws:PrincipalTag/dp:exclude:resource": "true"
+        }
+      }
     }
   ]
-}
+}
@@ -0,0 +1,112 @@
+# Service-specific guidance: AWS Backup
+
+
+This document outlines service-specific guidance for implementing a data perimeter for AWS Backup. 
+
+
+AWS Backup is a fully managed backup service that simplifies and centralizes the backup of data across AWS services, including Amazon EBS volumes, Amazon RDS databases, Amazon DynamoDB tables, Amazon EFS file systems, and more. It provides a unified way to create, manage, and automate backup policies, ensuring data protection and compliance with regulatory requirements.
+
+
+The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any.
+
+| Perimeter type | Security objective | Applied on | Policy type | Additional considerations |
+|----------------|-------------------|------------|-------------|------------------------|
+| Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N |
+| Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | N |
+| Resource perimeter | My identities can access only trusted resources | Identity | SCP | N |
+| Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N |
+| Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N |
+| Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N |
+
+*Y – Additional considerations apply. N – No additional considerations apply.
+ 
+
+**List of service APIs reviewed against data perimeter control objectives**
+* CancelLegalHold
+* CreateBackupPlan
+* CreateBackupSelection
+* CreateBackupVault
+* CreateFramework
+* CreateLegalHold
+* CreateLogicallyAirGappedBackupVault
+* CreateReportPlan
+* CreateRestoreTestingPlan
+* CreateRestoreTestingSelection
+* DeleteBackupPlan
+* DeleteBackupSelection
+* DeleteBackupVault
+* DeleteBackupVaultAccessPolicy
+* DeleteBackupVaultLockConfiguration
+* DeleteBackupVaultNotifications
+* DeleteFramework
+* DeleteRecoveryPoint
+* DeleteReportPlan
+* DeleteRestoreTestingPlan
+* DeleteRestoreTestingSelection
+* DescribeBackupJob
+* DescribeBackupVault
+* DescribeCopyJob
+* DescribeFramework
+* DescribeGlobalSettings
+* DescribeProtectedResource
+* DescribeRecoveryPoint
+* DescribeRegionSettings
+* DescribeReportJob
+* DescribeReportPlan
+* DescribeRestoreJob
+* ExportBackupPlanTemplate
+* GetBackupPlan
+* GetBackupPlanFromJSON
+* GetBackupPlanFromTemplate
+* GetBackupSelection
+* GetBackupVaultAccessPolicy
+* GetBackupVaultNotifications
+* GetLegalHold
+* GetRecoveryPointRestoreMetadata
+* GetRestoreJobMetadata
+* GetRestoreTestingInferredMetadata
+* GetRestoreTestingPlan
+* GetRestoreTestingSelection
+* GetSupportedResourceTypes
+* ListBackupJobs
+* ListBackupJobSummaries
+* ListBackupPlans
+* ListBackupPlanTemplates
+* ListBackupPlanVersions
+* ListBackupSelections
+* ListBackupVaults
+* ListCopyJobs
+* ListCopyJobSummaries
+* ListFrameworks
+* ListLegalHolds
+* ListProtectedResources
+* ListProtectedResourcesByBackupVault
+* ListRecoveryPointsByBackupVault
+* ListRecoveryPointsByLegalHold
+* ListRecoveryPointsByResource
+* ListReportJobs
+* ListReportPlans
+* ListRestoreJobs
+* ListRestoreJobsByProtectedResource
+* ListRestoreJobSummaries
+* ListRestoreTestingPlans
+* ListRestoreTestingSelections
+* ListTags
+* PutBackupVaultAccessPolicy
+* PutBackupVaultLockConfiguration
+* PutBackupVaultNotifications
+* PutRestoreValidationResult
+* StartBackupJob
+* StartCopyJob
+* StartReportJob
+* StartRestoreJob
+* TagResource
+* UntagResource
+* UpdateBackupPlan
+* UpdateFramework
+* UpdateGlobalSettings
+* UpdateRecoveryPointLifecycle
+* UpdateRegionSettings
+* UpdateReportPlan
+* UpdateRestoreTestingPlan
+* UpdateRestoreTestingSelection
@@ -0,0 +1,45 @@
+
+# Data perimeter accelerator
+
+
+This document outlines service-specific guidance for implementing a data perimeter for Amazon CloudFront KeyValue Store.
+ 
+Amazon CloudFront KeyValue Store is a feature of Amazon CloudFront that allows you to store and retrieve small amounts of data with low latency at CloudFront edge locations. It enables you to enhance your web applications by storing and accessing frequently used data closer to your users, improving performance and reducing the load on your origin servers.
+
+
+The following table specifies whether additional considerations apply to a specific data perimeter control objective, followed by the list of considerations and recommended controls, if any.
+
+| Perimeter type | Security objective | Applied on | Policy type | Additional considerations |
+|----------------|-------------------|------------|-------------|------------------------|
+| Identity perimeter | Only trusted identities can access my resources | Resource | RCP | N |
+| Identity perimeter | Only trusted identities are allowed from my network | Network | VPC endpoint policy | Y |
+| Resource perimeter | My identities can access only trusted resources | Identity | SCP | N |
+| Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y |
+| Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N |
+| Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N |
+
+*Y – Additional considerations apply. N – No additional considerations apply.
+ 
+
+**Additional consideration 1:**
+
+Perimeter type applicability: identity and resource perimeter applied on network.
+
+The service does not currently support VPC endpoint policies.
+
+If you want to restrict access to your networks to trusted identities and trusted resources, consider implementing these additional controls:
+
+* **Preventative control example 1**: Consider implementing `aws:ResourceOrgID` in an SCP to restrict service API calls so that your identities can only access trusted resources. See [resource_perimeter_scp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/resource_perimeter_scp.json) for an example policy.
+* **Preventative control example 2**: Consider using your existing security appliances such as outbound proxies to inspect service API calls in your environment for the identities making the calls and resources being accessed, and restrict the calls accordingly. This type of solution might have implications for security, scalability, latency, and reliability that you should evaluate carefully.
+
+
+**List of service APIs reviewed against data perimeter control objectives**
+
+* DeleteKey
+* DescribeKeyValueStore
+* GetKey
+* ListKeys
+* PutKey
+* UpdateKeys
+            
+