Cyber.AWS SCP - TannerWeinacker/Capstone GitHub Wiki
On this page, we are creating a guideline and multiple SCP policies that will be useful for our organization.
Below are going to be some of the ideas for SCP that will prevent students/admins from having more privileges than needed
- Restricted Billing
- Cannot leave the organization
- Zero Billing Access
- Cannot leave the organization
- Restrict access to Cloudtrail/Cloudwatch
- Restrtic tagging capabilities
- Restrict IAM roles/permissions (Do not allow users to get around their account restrictions by creating new IAM permissions/roles)
- Prevent access to AWS Artifact (Students do not need to be seeing security compliance of our AWS organization)
- Prevent AWS Backup
- Zero Billing Access
- Cannot leave the organization
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"billing:*",
"aws-portal:*",
"consolidatedbilling:*"
],
"Resource": [
"*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"billing:*",
"aws-portal:*",
"consolidatedbilling:*"
],
"Resource": [
"*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"organizations:*"
],
"Resource": [
"*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyIAMAccountDeletion",
"Effect": "Deny",
"Action": [
"iam:DeleteUser",
"iam:DeleteAccountAlias"
],
"Resource": [
"arn:aws:iam::296704428774:user/alice"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPolicyDeletion",
"Effect": "Deny",
"Action": [
"iam:DeleteRole"
],
"Resource": [
"arn:aws:iam::495810764335:role/Allow_Admin"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:DeregisterAccount"
],
"Resource": [
"*"
],
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEC2InstanceCreationWithSpecificAMI",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeImages"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:ImageId": "ami-0123456789abcdef"
}
}
}
]
}
This can be used to create infrastructure machines with a tag of Production or Infrastructure and regular users would not be able to delete them
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDeleteProductionAndInfrastructureResources",
"Effect": "Deny",
"Action": [
"ec2:TerminateInstances",
"s3:DeleteBucket",
"s3:DeleteObject",
"rds:DeleteDBInstance"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"infrastructure"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyTagInfrastructureAndProduction",
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"s3:PutBucketTagging",
"s3:DeleteBucketTagging",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"Infrastructure",
"Production"
]
}
}
}
]
}
This policy will not be used since it defeats the purpose of having cyber.AWS be accessible from everywhere
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "Needs an action",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "Needs to be public"
}
}
}
]
}