File tree Expand file tree Collapse file tree 7 files changed +35
-2
lines changed
Expand file tree Collapse file tree 7 files changed +35
-2
lines changed Original file line number Diff line number Diff line change @@ -35,6 +35,7 @@ No modules.
3535| [ aws_organizations_policy.deny_guardduty_modify] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy ) | resource |
3636| [ aws_organizations_policy.deny_member_leaving] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy ) | resource |
3737| [ aws_organizations_policy.deny_s3_public] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy ) | resource |
38+ | [ aws_organizations_policy.deny_s3_unsecure_requests] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy ) | resource |
3839| [ aws_organizations_policy.deny_securityhub_disable] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy ) | resource |
3940| [ aws_organizations_policy.require_s3_encryption] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy ) | resource |
4041
Original file line number Diff line number Diff line change 1+
2+ https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html
3+ https://github.com/ScaleSec/terraform_aws_scp
Original file line number Diff line number Diff line change 66 "Effect" : " Deny"
77 "Action" : [
88 " cloudtrail:DeleteTrail"
9- " cloudtrail:StopLogging"
109 " cloudtrail:PutEventSelectors"
10+ " cloudtrail:StopLogging"
1111 " cloudtrail:UpdateTrail"
1212 ],
1313 "Resource" : [
Original file line number Diff line number Diff line change 66 "Effect" : " Deny"
77 "Action" : [
88 " config:DeleteConfigRule"
9+ " config:DeleteConfigurationAggregator"
910 " config:DeleteConfigurationRecorder"
1011 " config:DeleteDeliveryChannel"
12+ " config:DeleteEvaluationResults"
13+ " config:DeleteRetentionConfiguration"
1114 " config:StopConfigurationRecorder"
1215 ],
1316 "Resource" : " *"
Original file line number Diff line number Diff line change 1+ {
2+ "Version" : " 2012-10-17"
3+ "Statement" : [
4+ {
5+ "Sid" : " DenyS3UnsecureRequests"
6+ "Effect" : " Deny"
7+ "Action" : [
8+ " s3:*"
9+ ],
10+ "Resource" : " *"
11+ "Condition" : {
12+ "Bool" : {
13+ "aws:SecureTransport" : " false"
14+ }
15+ }
16+ }
17+ ]
18+ }
Original file line number Diff line number Diff line change 88 "Resource" : " *"
99 "Condition" : {
1010 "StringNotEquals" : {
11- "s3:x-amz-server-side-encryption" : " AES256"
11+ "s3:x-amz-server-side-encryption" : [ " AES256" , " aws:kms " ]
1212 }
1313 }
1414 },
Original file line number Diff line number Diff line change @@ -113,6 +113,14 @@ resource "aws_organizations_policy" "deny_s3_public" {
113113 type = " SERVICE_CONTROL_POLICY"
114114 content = file (" ${ path . module } /files/deny-s3-public.json"
115115}
116+ resource "aws_organizations_policy" "deny_s3_unsecure_requests" {
117+ count = . enable && var. enable_s3 ? 1 : 0
118+ name = " deny_s3_unsecure_requests"
119+ description = " Prevent S3 unsecured requests"
120+ tags = . tags
121+ type = " SERVICE_CONTROL_POLICY"
122+ content = file (" ${ path . module } /files/deny-s3-unsecure-requests.json"
123+ }
116124resource "aws_organizations_policy" "require_s3_encryption" {
117125 count = . enable && var. enable_s3 ? 1 : 0
118126 name = " require_s3_encryption"
You can’t perform that action at this time.
0 commit comments