From 5a5e8e9edfcdb636c5a60561b697519e7ee96af4 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Tue, 18 Feb 2025 20:34:37 +0300 Subject: [PATCH 01/21] Allow Lambda in ue-east-1 required for cloudfront lambda on edge --- .../region-restriction-templates/RestrictToSpecifiedRegions.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index 4f48be3..ea2490a 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -28,6 +28,7 @@ - "iam:*" - "importexport:*" - "kms:*" + - "lambda:*" - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" From 4c345dee0babd7da8015157234e5e907013d489b Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 19 Feb 2025 00:26:08 +0300 Subject: [PATCH 02/21] Update RestrictToSpecifiedRegions.yaml --- .../RestrictToSpecifiedRegions.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index ea2490a..1c7b477 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -28,7 +28,6 @@ - "iam:*" - "importexport:*" - "kms:*" - - "lambda:*" - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" @@ -57,3 +56,20 @@ %{ endfor } resources: - "*" + +- sid: "RestrictLambdaToSpecifiedRegions" + effect: "Deny" + actions: + - "lambda:*" + condition: + - test: "StringNotEqualsIgnoreCase" + variable: "aws:RequestedRegion" + # List of allowed regions + values: + # Us east-1 required for cloudfront lambda on edge + - us-east-1 + %{ for r in split(",", allowed_regions) } + - ${trimspace(r)} + %{ endfor } + resources: + - "*" From bc88c882ab6393103724e18ffb13bda621622a0a Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 19 Feb 2025 01:05:16 +0300 Subject: [PATCH 03/21] Update RestrictToSpecifiedRegions.yaml --- .../RestrictToSpecifiedRegions.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index 1c7b477..b7ce5a7 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -27,7 +27,7 @@ - "health:*" - "iam:*" - "importexport:*" - - "kms:*" + - "kms:*" - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" @@ -58,11 +58,11 @@ - "*" - sid: "RestrictLambdaToSpecifiedRegions" - effect: "Deny" + effect: "Allow" actions: - "lambda:*" condition: - - test: "StringNotEqualsIgnoreCase" + - test: "StringEqualsIgnoreCase" variable: "aws:RequestedRegion" # List of allowed regions values: From 83788a9817e639ed439551fbcdd5d94e325a5589 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 19 Feb 2025 01:17:51 +0300 Subject: [PATCH 04/21] Update RestrictToSpecifiedRegions.yaml --- .../RestrictToSpecifiedRegions.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index b7ce5a7..90cc43b 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -28,6 +28,7 @@ - "iam:*" - "importexport:*" - "kms:*" + - "lambda:*" - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" @@ -58,11 +59,11 @@ - "*" - sid: "RestrictLambdaToSpecifiedRegions" - effect: "Allow" + effect: "Deny" actions: - "lambda:*" condition: - - test: "StringEqualsIgnoreCase" + - test: "StringNotEqualsIgnoreCase" variable: "aws:RequestedRegion" # List of allowed regions values: From 0331471d6cc817a1d640bd93a45fcfddb088b6c6 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 19 Feb 2025 01:29:20 +0300 Subject: [PATCH 05/21] Update RestrictToSpecifiedRegions.yaml --- .../RestrictToSpecifiedRegions.yaml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index 90cc43b..0f07f66 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -27,8 +27,7 @@ - "health:*" - "iam:*" - "importexport:*" - - "kms:*" - - "lambda:*" + - "kms:*" - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" @@ -58,19 +57,16 @@ resources: - "*" -- sid: "RestrictLambdaToSpecifiedRegions" - effect: "Deny" +- sid: "AllowLambdaUsEast1" + effect: "Allow" actions: - "lambda:*" condition: - - test: "StringNotEqualsIgnoreCase" + - test: "StringEqualsIgnoreCase" variable: "aws:RequestedRegion" # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge - us-east-1 - %{ for r in split(",", allowed_regions) } - - ${trimspace(r)} - %{ endfor } resources: - "*" From 207e5e2bcd5e8b441452d09efb57aca59af1de79 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 19 Feb 2025 01:40:04 +0300 Subject: [PATCH 06/21] Update RestrictToSpecifiedRegions.yaml --- .../RestrictToSpecifiedRegions.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index 0f07f66..409a8b0 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -28,6 +28,7 @@ - "iam:*" - "importexport:*" - "kms:*" + - "lambda:*" - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" @@ -57,16 +58,19 @@ resources: - "*" -- sid: "AllowLambdaUsEast1" - effect: "Allow" +- sid: "RestrictLambdaToSpecifiedRegions" + effect: "Deny" actions: - "lambda:*" condition: - - test: "StringEqualsIgnoreCase" + - test: "StringNotEqualsIgnoreCase" variable: "aws:RequestedRegion" # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge - us-east-1 + %{ for r in split(",", allowed_regions) } + - ${trimspace(r)} + %{ endfor } resources: - "*" From 09e00f7697fb04bca10e6d5d640a5ea76ec50f9e Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 12:36:18 +0200 Subject: [PATCH 07/21] Address comments --- .../DenyRegions.yaml | 18 ++++++++++++++++++ .../RestrictToSpecifiedRegions.yaml | 6 ++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml index 31255ee..26d5ff8 100644 --- a/catalog/region-restriction-templates/DenyRegions.yaml +++ b/catalog/region-restriction-templates/DenyRegions.yaml @@ -28,6 +28,7 @@ - "iam:*" - "importexport:*" - "kms:*" + - "lambda:*" - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" @@ -56,3 +57,20 @@ %{ endfor } resources: - "*" + +- sid: "DenyLambdaInRegions" + effect: "Deny" + actions: + - "lambda:*" + condition: + - test: "StringEqualsIgnoreCase" + variable: "aws:RequestedRegion" + # List of denied regions + values: + %{ for r in split(",", denied_regions) } + %{ if ! try(tobool(cloudfront_lambda_edge_enabled), false) || trimspace(r) != "us-east-1") } + - ${trimspace(r)} + %{ endif } + %{ endfor } + resources: + - "*" \ No newline at end of file diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index 409a8b0..ed47cf7 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -28,7 +28,7 @@ - "iam:*" - "importexport:*" - "kms:*" - - "lambda:*" + - "lambda:*" - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" @@ -68,9 +68,11 @@ # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge + %{ if try(tobool(cloudfront_lambda_edge_enabled), false) && !contains(allowed_regions, "us-east-1") } - us-east-1 + %{ endif } %{ for r in split(",", allowed_regions) } - ${trimspace(r)} - %{ endfor } + %{ endfor } resources: - "*" From 5326cb69dc9fd0f4c966e7e15a3d7f266924413b Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 13:08:38 +0200 Subject: [PATCH 08/21] Address comments --- catalog/region-restriction-templates/DenyRegions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml index 26d5ff8..095e0c7 100644 --- a/catalog/region-restriction-templates/DenyRegions.yaml +++ b/catalog/region-restriction-templates/DenyRegions.yaml @@ -68,7 +68,7 @@ # List of denied regions values: %{ for r in split(",", denied_regions) } - %{ if ! try(tobool(cloudfront_lambda_edge_enabled), false) || trimspace(r) != "us-east-1") } + %{ if ! try(tobool(cloudfront_lambda_edge_enabled), false) || trimspace(r) != "us-east-1" } - ${trimspace(r)} %{ endif } %{ endfor } From ecca15e703b2d3d4e09626b81f77639e4a11d620 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 13:23:12 +0200 Subject: [PATCH 09/21] Address comments --- catalog/region-restriction-templates/DenyRegions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml index 095e0c7..06edf55 100644 --- a/catalog/region-restriction-templates/DenyRegions.yaml +++ b/catalog/region-restriction-templates/DenyRegions.yaml @@ -68,7 +68,7 @@ # List of denied regions values: %{ for r in split(",", denied_regions) } - %{ if ! try(tobool(cloudfront_lambda_edge_enabled), false) || trimspace(r) != "us-east-1" } + %{ if! try(tobool(cloudfront_lambda_edge_enabled), false) } - ${trimspace(r)} %{ endif } %{ endfor } From ffc84115fedef431bae672f3416d6e07e8595674 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 14:59:32 +0200 Subject: [PATCH 10/21] Fix tests --- .../region-restriction-templates/DenyRegions.yaml | 2 +- .../RestrictToSpecifiedRegions.yaml | 2 +- examples/complete/fixtures.us-east-2.tfvars | 13 +++++++------ 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml index 06edf55..095e0c7 100644 --- a/catalog/region-restriction-templates/DenyRegions.yaml +++ b/catalog/region-restriction-templates/DenyRegions.yaml @@ -68,7 +68,7 @@ # List of denied regions values: %{ for r in split(",", denied_regions) } - %{ if! try(tobool(cloudfront_lambda_edge_enabled), false) } + %{ if ! try(tobool(cloudfront_lambda_edge_enabled), false) || trimspace(r) != "us-east-1" } - ${trimspace(r)} %{ endif } %{ endfor } diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index ed47cf7..56b9f26 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -68,7 +68,7 @@ # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge - %{ if try(tobool(cloudfront_lambda_edge_enabled), false) && !contains(allowed_regions, "us-east-1") } + %{ if try(tobool(cloudfront_lambda_edge_enabled), false) && !contains(split(",", allowed_regions), "us-east-1") } - us-east-1 %{ endif } %{ for r in split(",", allowed_regions) } diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars index d564a3e..11e6786 100644 --- a/examples/complete/fixtures.us-east-2.tfvars +++ b/examples/complete/fixtures.us-east-2.tfvars @@ -11,10 +11,11 @@ name = "scp" service_control_policy_description = "Test Service Control Policy" parameters = { - ami_creator_account = "account_creator" - ami_tag_key = "ami_tag_key" - ami_tag_value = "ami_tag_value" - allowed_regions = "eu-central-1, eu-west-1" - denied_regions = "sa-east-1" - s3_regions_lockdown = "eu-central-1, eu-west-1" + ami_creator_account = "account_creator" + ami_tag_key = "ami_tag_key" + ami_tag_value = "ami_tag_value" + allowed_regions = "eu-central-1, eu-west-1" + denied_regions = "sa-east-1" + s3_regions_lockdown = "eu-central-1, eu-west-1" + cloudfront_lambda_edge_enabled = "false" } From 06fa1d931ea1f1de6d549c4de071a07946f201d4 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 17:20:32 +0200 Subject: [PATCH 11/21] Fix tests --- catalog/region-restriction-templates/DenyRegions.yaml | 2 +- .../RestrictToSpecifiedRegions.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml index 095e0c7..cbaaf89 100644 --- a/catalog/region-restriction-templates/DenyRegions.yaml +++ b/catalog/region-restriction-templates/DenyRegions.yaml @@ -68,7 +68,7 @@ # List of denied regions values: %{ for r in split(",", denied_regions) } - %{ if ! try(tobool(cloudfront_lambda_edge_enabled), false) || trimspace(r) != "us-east-1" } + %{ if cloudfront_lambda_edge_enabled != "true" || trimspace(r) != "us-east-1" } - ${trimspace(r)} %{ endif } %{ endfor } diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index 56b9f26..aa12b5e 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -68,7 +68,7 @@ # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge - %{ if try(tobool(cloudfront_lambda_edge_enabled), false) && !contains(split(",", allowed_regions), "us-east-1") } + %{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") } - us-east-1 %{ endif } %{ for r in split(",", allowed_regions) } From f20f8d9b71bcc0b2d65adb599ca8ec4d2b4db2c9 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 17:25:26 +0200 Subject: [PATCH 12/21] Fix tests --- .../RestrictToSpecifiedRegions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index aa12b5e..ed6ab9d 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -68,7 +68,7 @@ # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge - %{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") } + %{ if cloudfront_lambda_edge_enabled && !contains(split(",", allowed_regions), "us-east-1") } - us-east-1 %{ endif } %{ for r in split(",", allowed_regions) } From 1a4b68f8dc6db0a2d4594a565ef861b6a7680bf2 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 17:27:49 +0200 Subject: [PATCH 13/21] Fix tests --- .../RestrictToSpecifiedRegions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index ed6ab9d..dd4fec1 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -68,7 +68,7 @@ # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge - %{ if cloudfront_lambda_edge_enabled && !contains(split(",", allowed_regions), "us-east-1") } + %{ if cloudfront_lambda_edge_enabled } - us-east-1 %{ endif } %{ for r in split(",", allowed_regions) } From c9ad718bcb08d9ebfe0e04c4f2d184a6fd10548d Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 17:32:31 +0200 Subject: [PATCH 14/21] Fix tests --- .../RestrictToSpecifiedRegions.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index dd4fec1..c519cc5 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -68,9 +68,7 @@ # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge - %{ if cloudfront_lambda_edge_enabled } - us-east-1 - %{ endif } %{ for r in split(",", allowed_regions) } - ${trimspace(r)} %{ endfor } From 58c7626ea7aca7bdd894da7846554d99d06755f0 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 17:46:25 +0200 Subject: [PATCH 15/21] Fix tests --- .../RestrictToSpecifiedRegions.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index c519cc5..aa12b5e 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -68,7 +68,9 @@ # List of allowed regions values: # Us east-1 required for cloudfront lambda on edge + %{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") } - us-east-1 + %{ endif } %{ for r in split(",", allowed_regions) } - ${trimspace(r)} %{ endfor } From ecd696ed7630f8ee7b5785701701810dac0f9bca Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 23:06:38 +0300 Subject: [PATCH 16/21] Update RestrictToSpecifiedRegions.yaml --- .../RestrictToSpecifiedRegions.yaml | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index aa12b5e..4af309a 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -1,5 +1,25 @@ # Requires parameter: # - allowed_regions # Comma separated list of regions in which to allow operations +# - cloudfront_lambda_edge_enabled # Boolean flag that enables lambda in us-east-1 region required by cloudfront lambda on edge + +- sid: "RestrictLambdaToSpecifiedRegions" + effect: "Deny" + actions: + - "lambda:*" + condition: + - test: "StringNotEqualsIgnoreCase" + variable: "aws:RequestedRegion" + # List of allowed regions + values: + # Us east-1 required for cloudfront lambda on edge + %{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") } + - us-east-1 + %{ endif } + %{ for r in split(",", allowed_regions) } + - ${trimspace(r)} + %{ endfor } + resources: + - "*" # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html#examples_general - sid: "RestrictToSpecifiedRegions" @@ -57,22 +77,3 @@ %{ endfor } resources: - "*" - -- sid: "RestrictLambdaToSpecifiedRegions" - effect: "Deny" - actions: - - "lambda:*" - condition: - - test: "StringNotEqualsIgnoreCase" - variable: "aws:RequestedRegion" - # List of allowed regions - values: - # Us east-1 required for cloudfront lambda on edge - %{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") } - - us-east-1 - %{ endif } - %{ for r in split(",", allowed_regions) } - - ${trimspace(r)} - %{ endfor } - resources: - - "*" From c30f164f0e5078b4bf4d7a5d6079ba1d365b290e Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Wed, 9 Apr 2025 23:11:57 +0300 Subject: [PATCH 17/21] Update RestrictToSpecifiedRegions.yaml --- .../RestrictToSpecifiedRegions.yaml | 57 ------------------- 1 file changed, 57 deletions(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index 4af309a..dc9e8d1 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -20,60 +20,3 @@ %{ endfor } resources: - "*" - -# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html#examples_general -- sid: "RestrictToSpecifiedRegions" - effect: "Deny" - not_actions: - - "a4b:*" - - "account:*" - - "acm:*" - - "artifact:*" - - "aws-marketplace-management:*" - - "aws-marketplace:*" - - "aws-portal:*" - - "budgets:*" - - "ce:*" - - "chime:*" - - "cloudfront:*" - - "config:*" - - "cur:*" - - "directconnect:*" - - "ec2:DescribeRegions" - - "ec2:DescribeTransitGateways" - - "ec2:DescribeVpnGateways" - - "fms:*" - - "globalaccelerator:*" - - "health:*" - - "iam:*" - - "importexport:*" - - "kms:*" - - "lambda:*" - - "mobileanalytics:*" - - "networkmanager:*" - - "organizations:*" - - "pricing:*" - - "route53:*" - - "route53domains:*" - - "s3:GetAccountPublic*" - - "s3:ListAllMyBuckets" - - "s3:PutAccountPublic*" - - "shield:*" - - "sts:*" - - "support:*" - - "supportplans:*" - - "trustedadvisor:*" - - "waf-regional:*" - - "waf:*" - - "wafv2:*" - - "wellarchitected:*" - condition: - - test: "StringNotEqualsIgnoreCase" - variable: "aws:RequestedRegion" - # List of allowed regions - values: - %{ for r in split(",", allowed_regions) } - - ${trimspace(r)} - %{ endfor } - resources: - - "*" From 8319c948ebe86e48a104d22e4a71a287fec5d278 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Thu, 10 Apr 2025 17:19:25 +0200 Subject: [PATCH 18/21] Fix policy --- catalog/region-restriction-templates/DenyRegions.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml index cbaaf89..9e5e012 100644 --- a/catalog/region-restriction-templates/DenyRegions.yaml +++ b/catalog/region-restriction-templates/DenyRegions.yaml @@ -28,7 +28,9 @@ - "iam:*" - "importexport:*" - "kms:*" + %{ if cloudfront_lambda_edge_enabled == "true" } - "lambda:*" + %{ endif } - "mobileanalytics:*" - "networkmanager:*" - "organizations:*" @@ -73,4 +75,4 @@ %{ endif } %{ endfor } resources: - - "*" \ No newline at end of file + - "*" From 4bad25650b68d1e53d665c9aaeb12d8aecd1d657 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Thu, 10 Apr 2025 17:20:15 +0200 Subject: [PATCH 19/21] Fix policy --- .../RestrictToSpecifiedRegions.yaml | 60 ++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index dc9e8d1..7125880 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -1,6 +1,64 @@ # Requires parameter: # - allowed_regions # Comma separated list of regions in which to allow operations -# - cloudfront_lambda_edge_enabled # Boolean flag that enables lambda in us-east-1 region required by cloudfront lambda on edge + +# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html#examples_general +- sid: "RestrictToSpecifiedRegions" + effect: "Deny" + not_actions: + - "a4b:*" + - "account:*" + - "acm:*" + - "artifact:*" + - "aws-marketplace-management:*" + - "aws-marketplace:*" + - "aws-portal:*" + - "budgets:*" + - "ce:*" + - "chime:*" + - "cloudfront:*" + - "config:*" + - "cur:*" + - "directconnect:*" + - "ec2:DescribeRegions" + - "ec2:DescribeTransitGateways" + - "ec2:DescribeVpnGateways" + - "fms:*" + - "globalaccelerator:*" + - "health:*" + - "iam:*" + - "importexport:*" + - "kms:*" + %{ if cloudfront_lambda_edge_enabled == "true" } + - "lambda:*" + %{ endif } + - "mobileanalytics:*" + - "networkmanager:*" + - "organizations:*" + - "pricing:*" + - "route53:*" + - "route53domains:*" + - "s3:GetAccountPublic*" + - "s3:ListAllMyBuckets" + - "s3:PutAccountPublic*" + - "shield:*" + - "sts:*" + - "support:*" + - "supportplans:*" + - "trustedadvisor:*" + - "waf-regional:*" + - "waf:*" + - "wafv2:*" + - "wellarchitected:*" + condition: + - test: "StringNotEqualsIgnoreCase" + variable: "aws:RequestedRegion" + # List of allowed regions + values: + %{ for r in split(",", allowed_regions) } + - ${trimspace(r)} + %{ endfor } + resources: + - "*" - sid: "RestrictLambdaToSpecifiedRegions" effect: "Deny" From 3340d6cb943eecf7d05e3b6713aa77f424f4579f Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Thu, 10 Apr 2025 21:15:13 +0200 Subject: [PATCH 20/21] Added service quotas policies --- catalog/region-restriction-templates/DenyRegions.yaml | 3 +++ .../RestrictToSpecifiedRegions.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml index 9e5e012..79ca4ba 100644 --- a/catalog/region-restriction-templates/DenyRegions.yaml +++ b/catalog/region-restriction-templates/DenyRegions.yaml @@ -40,6 +40,9 @@ - "s3:GetAccountPublic*" - "s3:ListAllMyBuckets" - "s3:PutAccountPublic*" + %{ if servicequotas_enabled == "true" } + - "servicequotas:*" + %{ endif } - "shield:*" - "sts:*" - "support:*" diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml index 7125880..1f06c23 100644 --- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml +++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml @@ -40,6 +40,9 @@ - "s3:GetAccountPublic*" - "s3:ListAllMyBuckets" - "s3:PutAccountPublic*" + %{ if servicequotas_enabled == "true" } + - "servicequotas:*" + %{ endif } - "shield:*" - "sts:*" - "support:*" From 6ece39f86cc7c13723065bc7fccf701c8053b6f9 Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Fri, 11 Apr 2025 13:32:54 +0200 Subject: [PATCH 21/21] added service quotas --- examples/complete/fixtures.us-east-2.tfvars | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars index 11e6786..d8bcb79 100644 --- a/examples/complete/fixtures.us-east-2.tfvars +++ b/examples/complete/fixtures.us-east-2.tfvars @@ -18,4 +18,5 @@ parameters = { denied_regions = "sa-east-1" s3_regions_lockdown = "eu-central-1, eu-west-1" cloudfront_lambda_edge_enabled = "false" + servicequotas_enabled = "false" }