aws-samples
diff --git a/‎Cost-optimization/README.md‎
Lines changed: 9 additions & 0 deletions b/‎Cost-optimization/README.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎…Permission-sets-for-Identity-Center.json‎ ‎…on-sets-for-AWS-IAM-Identity-Center.json‎Deny-changes-to-security-services/Deny-Permission-sets-for-Identity-Center.json renamed to Deny-changes-to-security-services/Deny-permission-sets-for-AWS-IAM-Identity-Center.json b/‎…Permission-sets-for-Identity-Center.json‎ ‎…on-sets-for-AWS-IAM-Identity-Center.json‎Deny-changes-to-security-services/Deny-Permission-sets-for-Identity-Center.json renamed to Deny-changes-to-security-services/Deny-permission-sets-for-AWS-IAM-Identity-Center.json
diff --git a/‎Deny-changes-to-security-services/Deny-users-from-disabling-Amazon-GuardDuty-or-modifying-its-configuration.json‎
Lines changed: 47 additions & 0 deletions b/‎Deny-changes-to-security-services/Deny-users-from-disabling-Amazon-GuardDuty-or-modifying-its-configuration.json‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎Deny-changes-to-security-services/README.md‎
Lines changed: 3 additions & 3 deletions b/‎Deny-changes-to-security-services/README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎…tion-creation-modification-deletion.json‎ ‎…tion-creation-modification-deletion.json‎Privileged-access-controls/Deny-Amazon-Virtual-Private-Network(VPN)-connection-creation-modification-deletion.json renamed to Privileged-access-controls/Deny-Amazon-Virtual-Private-Network-connection-creation-modification-deletion.json b/‎…tion-creation-modification-deletion.json‎ ‎…tion-creation-modification-deletion.json‎Privileged-access-controls/Deny-Amazon-Virtual-Private-Network(VPN)-connection-creation-modification-deletion.json renamed to Privileged-access-controls/Deny-Amazon-Virtual-Private-Network-connection-creation-modification-deletion.json
diff --git a/‎Privileged-access-controls/Deny-member-accounts-from-leaving-your-AWS-organization.json‎
Lines changed: 12 additions & 0 deletions b/‎Privileged-access-controls/Deny-member-accounts-from-leaving-your-AWS-organization.json‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎Privileged-access-controls/Prevent-creating-or-expanding-public-connectivity-for-VPCs.json‎
Lines changed: 36 additions & 0 deletions b/‎Privileged-access-controls/Prevent-creating-or-expanding-public-connectivity-for-VPCs.json‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎Privileged-access-controls/README.md‎
Lines changed: 4 additions & 4 deletions b/‎Privileged-access-controls/README.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎Protect-cloud-platform-resource/Deny-users-from-deleting-Amazon-VPC-flow-logs.json‎
Lines changed: 10 additions & 0 deletions b/‎Protect-cloud-platform-resource/Deny-users-from-deleting-Amazon-VPC-flow-logs.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎Protect-cloud-platform-resource/README.md‎
Lines changed: 3 additions & 3 deletions b/‎Protect-cloud-platform-resource/README.md‎
Lines changed: 3 additions & 3 deletions
@@ -0,0 +1,9 @@
+## Cost optimization controls
+
+These policies provide guidance on how to accomplish cost optimization objectives for specific AWS services.
+
+
+| Included policy | Rationale | 
+|------|-------------|
+|[Require Amazon EC2 instances to use specific instance type](../Service-specific-controls/Amazon-EC2/Require-Amazon-EC2-instances-to-use-a-specific-type.json)|Restrict users and roles from launching EC2 instances unless they use only approved instance types.|
+
@@ -0,0 +1,47 @@
+{
+    "Version": "2012-10-17",		 	 	 
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Action": [ 
+                "guardduty:AcceptInvitation",
+                "guardduty:ArchiveFindings",
+                "guardduty:CreateDetector",
+                "guardduty:CreateFilter",
+                "guardduty:CreateIPSet",
+                "guardduty:CreateMembers",
+                "guardduty:CreatePublishingDestination",
+                "guardduty:CreateSampleFindings",
+                "guardduty:CreateThreatIntelSet",
+                "guardduty:DeclineInvitations",
+                "guardduty:DeleteDetector",
+                "guardduty:DeleteFilter",
+                "guardduty:DeleteInvitations",
+                "guardduty:DeleteIPSet",
+                "guardduty:DeleteMembers",
+                "guardduty:DeletePublishingDestination",
+                "guardduty:DeleteThreatIntelSet",
+                "guardduty:DisassociateFromMasterAccount",
+                "guardduty:DisassociateMembers",
+                "guardduty:InviteMembers",
+                "guardduty:StartMonitoringMembers",
+                "guardduty:StopMonitoringMembers",
+                "guardduty:TagResource",
+                "guardduty:UnarchiveFindings",
+                "guardduty:UntagResource",
+                "guardduty:UpdateDetector",
+                "guardduty:UpdateFilter",
+                "guardduty:UpdateFindingsFeedback",
+                "guardduty:UpdateIPSet",
+                "guardduty:UpdatePublishingDestination",
+                "guardduty:UpdateThreatIntelSet"
+            ],      
+            "Resource": "*",
+            "Condition": {
+                "ArnNotLike": {
+                    "aws:PrincipalARN": "arn:aws:iam::${Account}:role/[PRIVILEGED_ROLE]"
+                }
+            }
+        }
+    ]
+}
@@ -3,16 +3,16 @@
 AWS offers security services that help you monitor access, security posture, and activity within your organization. Enforce guardrails to restrict member accounts from disabling these tools that are used to govern and comply, in operational auditing, and risk auditing of your AWS accounts. 
 
 
-| Included Policy | Rationale | 
+| Included policy | Rationale | 
 |------|-------------|
 |[Deny users from disabling Amazon CloudWatch or altering its configuration](Deny-users-from-disabling-or-altering-CloudWatch.json)| Restrict delete or configuration change to your critical dashboards or alarms to a privileged role.|
 | [Deny enabling and disabling AWS Config](Deny-enabling-and-disabling-AWS-Config.json) |Restrict enabling/disabling AWS Config to a privileged role. If you use AWS Control Tower, refer to [Disallow Changes to AWS Config Rules Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html#config-rule-disallow-changes) applied by default.|
-|[Deny users from disabling Amazon GuardDuty or modifying its configuration](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_guardduty.html#example_guardduty_1) | Deny users or roles in any affected account from disabling GuardDuty or altering its configuration, either directly as a command or through the console. Effectively enable read-only access to the GuardDuty information and resources.|
+|[Deny users from disabling Amazon GuardDuty or modifying its configuration](Deny-users-from-disabling-Amazon-GuardDuty-or-modifying-its-configuration.json) | Restrict disabling GuardDuty or altering its configuration, either directly as a command or through the console to a privileged role.|
 |[Deny deletion of AWS Access Analyzer and findings in an account](Deny-deletion-of-AWS-Access-Analyzer-and-findings-in-an-account.json)| Deny deletion of IAM Access Analyzer and the findings generated that can help you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity.|
 |[Deny modifications to specific AWS CloudTrail trails](Deny-modifications-to-specific-CloudTrail-trails.json) | Restrict CloudTrail actions to specific CloudTrails that are required by the security or compliance teams. Note that there are alternatives to enable this control outside of SCP. For Example, you can create an Organization trail, that will log all events for all AWS accounts in that organization. Users in member accounts will not have sufficient permissions to delete the organization trail, turn logging on or off, change what types of events are logged, or otherwise alter the organization trail in any way.|
 |[Protect disabling/deleting Amazon Macie](Protect-disabling-or-deleting-Amazon-Macie.json)| Restrict disabling/deleting member accounts or disassociating an account from a master Macie account action to a privileged role.|
 |[Deny deletion or disassociation of members and invitations from AWS SecurityHub](Deny-deletion-or-disassociation-or-updation-to-AWS-SecurityHub.json)| Restrict disabling and updating SecurityHub, deleting member accounts or disassociating an account from a master SecurityHub account to a privileged role.|
-|[Use Identity Center for AWS Managed Applications or Trusted Identity Propagation Only](Deny-Permission-sets-for-Identity-Center.json)| Does not allow the creation or modification of permission sets for an Identity Center delegated admin account, helping ensure Identity Center is only used for Applications and Trusted Identity Propagation|
+|[Use AWS IAM Identity Center for AWS Managed Applications or Trusted Identity Propagation Only](Deny-permission-sets-for-AWS-IAM-Identity-Center.json)| Does not allow the creation or modification of permission sets for an Identity Center delegated admin account, helping ensure Identity Center is only used for Applications and Trusted Identity Propagation|
 
 
 
 
@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",		 	 	 
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Action": [
+                "organizations:LeaveOrganization"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
@@ -0,0 +1,36 @@
+{
+   "Version":"2012-10-17",
+   "Statement":[
+      {
+         "Effect":"Deny",
+         "Action":[
+            "ec2:AttachInternetGateway",
+            "ec2:CreateInternetGateway",
+            "ec2:CreateEgressOnlyInternetGateway",
+            "ec2:CreateVpcPeeringConnection",
+            "ec2:AcceptVpcPeeringConnection",
+            "globalaccelerator:CreateAccelerator",
+            "globalaccelerator:CreateCrossAccountAttachment",
+            "globalaccelerator:CreateCustomRoutingAccelerator",
+            "globalaccelerator:CreateCustomRoutingEndpointGroup",
+            "globalaccelerator:CreateCustomRoutingListener",
+            "globalaccelerator:CreateEndpointGroup",
+            "globalaccelerator:CreateListener",
+            "globalaccelerator:UpdateAccelerator",
+            "globalaccelerator:UpdateAcceleratorAttributes",
+            "globalaccelerator:UpdateCrossAccountAttachment",
+            "globalaccelerator:UpdateCustomRoutingAccelerator",
+            "globalaccelerator:UpdateCustomRoutingAcceleratorAttributes",
+            "globalaccelerator:UpdateCustomRoutingListener",
+            "globalaccelerator:UpdateEndpointGroup",
+            "globalaccelerator:UpdateListener"
+         ],
+         "Resource":"*",
+         "Condition":{
+            "ArnNotLike":{
+               "aws:PrincipalARN":"arn:aws:iam::${Account}:role/[PRIVILEGED_ROLE]"
+            }
+         }
+      }
+   ]
+}
@@ -2,14 +2,14 @@
 
 Enforce controls to make sure that your roles and applications are given only privileges which are essential to perform their intended function.
 
-| Included Policy | Rationale | 
+| Included policy | Rationale | 
 |------|-------------|
 |[Prevent root credentials management in member accounts in AWS Organizations.](Prevent-root-credentials-management-in-member-accounts-in-AWS-Organizations.json) | Centrally manage root access for member accounts in [AWS Organizations](https://aws.amazon.com/organizations/). Only allow management account sessions to be able to perform actions on root credentials. Note: An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user. SCPs have no effect on users or roles in the management account.|
 |[Deny the root user from performing actions other than modification to S3 bucket policy](Deny-the-root-user-from-performing-actions-except-S3-bucketpolicy-changes.json)| Consider configuring an administrative user in [AWS IAM Identity Center (successor to AWS Single Sign-On)](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html) to perform daily tasks. Restrict use of root user with exceptions for S3 bucket policy changes, if you are frequently locked out of S3 buckets. Refer to [Tasks that require root user credentials](https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html)|
 |[Deny modifications to specific IAM roles](Deny-modifications-to-specific-IAM-roles.json)|Restrict IAM principals in accounts from making changes to specific IAM roles created in an AWS account. This could be a common administrative IAM role created in all accounts in your organization.| 
 |[Deny critical IAM user actions](Deny-critical-IAM-user-actions.json)| Restrict creation and modification of IAM user profiles, IAM user access keys, service specific credentials such as Amazon Bedrock API keys and account password policy to a privileged role, or principal with the `IAMUserManagementException` Principal tag set to a value of `true`.|
-|[Deny member accounts from leaving your AWS organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-leave-org)|Restrict users or roles in any affected account from leaving AWS Organizations.|
+|[Deny member accounts from leaving your AWS organization](Deny-member-accounts-from-leaving-your-AWS-organization.json)|Restrict users or roles in any affected account from leaving AWS Organizations.|
 |[Deny billing modification action](Deny-billing-modification-action.json)|Restrict IAM principals in accounts from making changes to the payment method and tax preferences, changing contact information.|
-|[Prevent any VPC that doesn't already have internet access from getting it](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_vpc.html#example_vpc_2)|Deny users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.Note: Existing VPCs that have internet access retain their internet access.|
-|[Deny Amazon Virtual Private Network (VPN) connections](Deny-Amazon-Virtual-Private-Network(VPN)-connection-creation-modification-deletion.json)|Restrict creation, modification or deletion actions on Virtual Private Network (VPN) connections (Site-to-Site VPN and Client VPN) to an Amazon Virtual Private Cloud (VPC).|
+|[Prevent creating or expanding public connectivity for VPCs](Prevent-creating-or-expanding-public-connectivity-for-VPCs.json)|Restrict changes to the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet to a privileged role. It doesn't block existing direct access or any access that routes through your on-premises network environment.Note: Existing VPCs that have internet access retain their internet access.|
+|[Deny Amazon Virtual Private Network (VPN) connections](Deny-Amazon-Virtual-Private-Network-connection-creation-modification-deletion.json)|Restrict creation, modification or deletion actions on Virtual Private Network (VPN) connections (Site-to-Site VPN and Client VPN) to an Amazon Virtual Private Cloud (VPC).|
 |[Deny unwarranted IAM Federation creation and modification](Deny-unwarranted-IAM-federations-creation-modification.json)|Restrict the creation of new and modification of existing IAM federation, this policy is usually used in conjunction with [Deny critical IAM user actions](Deny-critical-IAM-user-actions.json) to avoid unauthorized users from creating alternative access routes to AWS Accounts.|
@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",		 	 	 
+  "Statement": [
+    {
+      "Effect": "Deny",
+      "Action": "ec2:DeleteFlowLogs",
+      "Resource": "*"
+    }
+  ]
+ }
@@ -2,10 +2,10 @@
 
 Enforce controls to protect your resources in cloud from being modified or deleted. 
 
-| Included Policy | Rationale | 
+| Included policy | Rationale | 
 |------|-------------|
 |[Deny unwanted cancellation or changes to AWS Marketplace product subscription](Deny-unwanted-cancellation-or-changes-to-AWS-Marketplace-product-subscription.json)| Restrict AWS Marketplace product subscription changes to privileged role|
-| [Deny users from deleting Amazon VPC flow logs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_vpc.html#example_vpc_1)|Deny users or roles in any affected account from deleting Amazon Elastic Compute Cloud (Amazon EC2) flow logs or CloudWatch log groups or log streams.|
+| [Deny users from deleting Amazon VPC flow logs](Deny-users-from-deleting-Amazon-VPC-flow-logs.json)|Deny users or roles in any affected account from deleting Amazon Elastic Compute Cloud (Amazon EC2) flow logs or CloudWatch log groups or log streams.|
 | [Deny creation of default VPC and Subnet](Deny-creation-of-default-VPC-and-subnet.json) | All VPCs and Subnets are created by the Network team following specific configurations.|
 | [Deny modifications to specific SNS topics](Deny-modifications-to-specific-SNS-topics.json)|Protect infrastructure automation solution SNS Topics. If you use AWS Control Tower, refer to [Disallow Changes to Amazon SNS Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html#sns-disallow-changes) applied by default.|
 | [Deny modifications to specific Amazon Lambda functions](Deny-modifications-to-specific-Amazon-Lambda-functions.json) |Platform solutions deploy Lambda functions that need protection. If you use AWS Control Tower, refer to [Disallow Changes to AWS Lambda Functions Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html#lambda-disallow-changes) applied by default.|
@@ -18,4 +18,4 @@ Enforce controls to protect your resources in cloud from being modified or delet
 | [Deny key actions on Route53 DNS hosted zones](Deny-key-actions-on-Route53-DNS-hosted-zones.json) |Deny route53 domain transfer, modification and deletion.|
 | [Prevent IMDSv1](Prevent-IMDSv1.json) |EC2 instances obtain credentials for the instance IAM roles through the Instance Metadata Service (IMDS).IMDSv2 is the most recent secure version of this service, the older version, IMDSv1, should therefore be prevented.|
 | [Enforce 30 days for KMS key deletion](Enforce-30-days-for-KMS-deletion.json) |Safeguards production KMS keys by enforcing a minimum 30-day cooldown period before key deletion. This policy helps prevent accidental or unauthorized deletion of critical encryption keys, ensuring the security and availability of encrypted data in production environments.|
-| [Deny-use-of-IAM-user-credentials-from-unexpected-networks.json](Deny-use-of-IAM-user-credentials-from-unexpected-networks.json) |Deny use of IAM user long-term access keys from outside of your corporate network or VPCs. We recommend using [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) instead of IAM users with long-term access keys, as these access keys remain valid until manually revoked and therefore present a higher security risk. If you still use IAM users in your organization, implement network restrictions to limit exposure and reduce potential misuse.|
+| [Deny use of IAM user credentials from unexpected networks](Deny-use-of-IAM-user-credentials-from-unexpected-networks.json) |Deny use of IAM user long-term access keys from outside of your corporate network or VPCs. We recommend using [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) instead of IAM users with long-term access keys, as these access keys remain valid until manually revoked and therefore present a higher security risk. If you still use IAM users in your organization, implement network restrictions to limit exposure and reduce potential misuse.|