Merge branch 'main' into Swara-changes

Author: SwaraGandhi

Service-specific-controls/README.md

@@ -11,8 +11,8 @@
 |[Enforce TLS version](S3-Enforce-TLS-version.json) | Require a minimum TLS version of 1.2 for access to S3 buckets.|
 |[Deny users from deleting Amazon S3 Buckets or objects](S3-Deny-users-from-deleting-Amazon-S3-Buckets-or-objects.json) | Restrict users or roles in any affected account from deleting S3 bucket or objects. This control can be implemented using either SCP or RCP.|
 |[Deny ACL disablement for all new buckets (bucket owner enforced)](S3-Deny-ACL-disablement-for-all-new-buckets-(bucket-owner-enforced).json)| Require that all new buckets are created with ACLs disabled. Note: When you apply this setting, ACLs are disabled and you automatically own and have full control over all objects in your bucket. This control can be implemented using either SCP or RCP.|
-|[Deny users from modifying S3 Block Public Access (Account-Level)](S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access Account level settings.Note: When you apply block public access settings to an account, the settings apply to all AWS Regions globally. This control can be implemented using either SCP or RCP.|
-|[Prevent S3 buckets from being made public (Bucket level)](S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access bucket level settings. This control can be implemented using either SCP or RCP.|
+|[Deny users from modifying S3 Block Public Access (Account-Level)](S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access Account level settings.Note: When you apply block public access settings to an account, the settings apply to all AWS Regions globally. **Note:** This control can be implemented using either SCP or RCP or [S3 policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_s3.html). S3 policies is recommended.|
+|[Prevent S3 buckets from being made public (Bucket level)](S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access bucket level settings. **Note:** This control can be implemented using either SCP or RCP or [S3 policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_s3.html). S3 policies is recommended.|
 |[Prevents usage of customer-provided encryption keys (SSE-C) for S3 buckets (Bucket level)](S3-Deny-SSE-C.json) |Deny the use of customer-provided encryption keys (SSE-C) across the organization. This security measure helps ensure all S3 bucket encryption remains under organizational control by denying the use of S3 with SSE-C.|
 |[Prevents long term presigned URLs](S3-Prevent-long-term-presigned-url.json) |Deny the use of presigned URL with a signature age greater than the configured expiration time.|
 
@@ -43,6 +43,7 @@
 
 **AWS STS**
 
+
 | Included Policy | Rationale | 
 |-------------|-------------|
 |[Protect EKS Pod Identity Session Tags](STS-Protect-EKS-pod-identities-tags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". |

Service-specific-controls/STS-protect-IAMRA-session-tags.json

@@ -0,0 +1,43 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "EnforceOnlyAWSServicePrincipalsAndRolesAssumedByIAMRACanSetIAMRASessionTags",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": [
+        "sts:TagSession"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "ForAnyValue:Stringlike": {
+          "aws:TagKeys": [
+            "x509Issuer*",
+            "x509Subject*",
+            "x509SAN*"
+          ]
+        },
+        "BoolIfExists": {
+          "aws:PrincipalIsAwsService": "false"
+        },
+        "Null": {
+          "aws:PrincipalTag/x509Subject/OU": "true",
+          "aws:PrincipalTag/x509Subject/CN": "true",
+          "aws:PrincipalTag/x509Subject/O": "true",
+          "aws:PrincipalTag/x509Subject/C": "true",
+          "aws:PrincipalTag/x509Subject/ST": "true",
+          "aws:PrincipalTag/x509Subject/L": "true",
+          "aws:PrincipalTag/x509Issuer/C": "true",
+          "aws:PrincipalTag/x509Issuer/O": "true",
+          "aws:PrincipalTag/x509Issuer/OU": "true",
+          "aws:PrincipalTag/x509Issuer/ST": "true",
+          "aws:PrincipalTag/x509Issuer/L": "true",
+          "aws:PrincipalTag/x509Issuer/CN": "true"
+          "aws:PrincipalTag/x509SAN/DNS": "true"
+          "aws:PrincipalTag/x509SAN/URI": "true"
+          "aws:PrincipalTag/x509SAN/Name/CN": "true"
+        }
+      }
+    }
+  ]
+}