Cyber.AWS SCP - TannerWeinacker/Capstone GitHub Wiki

SCP Overview

On this page, we are creating a guideline and multiple SCP policies that will be useful for our organization.

SCP Outlines

Below are going to be some of the ideas for SCP that will prevent students/admins from having more privileges than needed

Admin SCP

  • Restricted Billing
  • Cannot leave the organization

Student SCP

  • Zero Billing Access
  • Cannot leave the organization
  • Restrict access to Cloudtrail/Cloudwatch
  • Restrtic tagging capabilities
  • Restrict IAM roles/permissions (Do not allow users to get around their account restrictions by creating new IAM permissions/roles)
  • Prevent access to AWS Artifact (Students do not need to be seeing security compliance of our AWS organization)
  • Prevent AWS Backup

Sandbox SCP

  • Zero Billing Access
  • Cannot leave the organization

Templates of Created SCP

Allowed Billing

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Action": [
        "billing:*",
        "aws-portal:*",
        "consolidatedbilling:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Denied Billing

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Deny",
      "Action": [
        "billing:*",
        "aws-portal:*",
        "consolidatedbilling:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Organization Full View

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Action": [
        "organizations:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Prevent IAM Account Deletion

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIAMAccountDeletion",
      "Effect": "Deny",
      "Action": [
        "iam:DeleteUser",
        "iam:DeleteAccountAlias"
      ],
      "Resource": [
        "arn:aws:iam::296704428774:user/alice"
      ]
    }
  ]
}

Prevent Role Deletion

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPolicyDeletion",
      "Effect": "Deny",
      "Action": [
        "iam:DeleteRole"
      ],
      "Resource": [
        "arn:aws:iam::495810764335:role/Allow_Admin"
      ]
    }
  ]
}

Prevent Account Leaving the Organization

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "organizations:DeregisterAccount"
            ],
            "Resource": [
                "*"
            ],
        }
    ]
}

Allow Only Specific AMI to be used

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowEC2InstanceCreationWithSpecificAMI",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:DescribeImages"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "ec2:ImageId": "ami-0123456789abcdef"
                }
            }
        }
    ]
}

Prevent users from deleting certain machines

This can be used to create infrastructure machines with a tag of Production or Infrastructure and regular users would not be able to delete them

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyDeleteProductionAndInfrastructureResources",
      "Effect": "Deny",
      "Action": [
        "ec2:TerminateInstances",
        "s3:DeleteBucket",
        "s3:DeleteObject",
        "rds:DeleteDBInstance"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": [
            "environment",
            "infrastructure"
          ]
        }
      }
    }
  ]
}

Prevent Users from adding or deleting Infrastructure and Production Tags

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyTagInfrastructureAndProduction",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "s3:PutBucketTagging",
                "s3:DeleteBucketTagging",
                "sqs:TagQueue",
                "sqs:UntagQueue"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "Infrastructure",
                        "Production"
                    ]
                }
            }
        }
    ]
}

Only Allow connection from Champlain network

This policy will not be used since it defeats the purpose of having cyber.AWS be accessible from everywhere

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "Needs an action",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "Needs to be public"
                }
            }
        }
    ]
}
⚠️ **GitHub.com Fallback** ⚠️