AWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/
Home Page: https://aws-samples.github.io/aws-iam-permissions-guardrails/
License: Apache License 2.0
Please refer to Service Control Policy examples for the latest guidance and examples.
This library is licensed under the Apache 2.0 License. See the LICENSE file.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
This privilege does not exist:
Protect emr:PutBlockPublicAccessConfiguration just like what is done for S3 bucket protection for block public access
Use Case - Is your feature request related to a problem? Please describe.
Neptune DB is a graph DB service by AWS. An SCP is needed to prevent creation of unecrypted Neptune DB
Expected Outcome - Describe the solution you'd like
Ability for customer to prevent creation of unencrypted graph databases using Neptune
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Amazon Neptune
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Medium
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
**I can contribute: Yes
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
#15
Use Case - Is your feature request related to a problem? Please describe.
Unauthorized modifications to your subscription could affect your workloads in AWS accounts. AWS Marketplace is a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on AWS.
{
"Sid": "DenyUnsubscribeAWSMarketPlace",
"Effect": "Deny",
"Action": [
"aws-marketplace:Unsubscribe"
],
"Resource": [
"*"
]
}
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
To prevent users from adding themselves as an administrator with an extract, transform, and load (ETL) script, make sure that all non-administrator users and roles are denied access to these API operations.
AWS Lake Formation is a fully managed service that makes it easier for you to build, secure, and manage data lakes.
AWS Lake Formation Administrators can view all metadata in the AWS Glue Data Catalog. They can also grant and revoke permissions on data resources to principals, including themselves. AWS Lake Formation requires that each principal (user or role) be authorized to perform actions on Lake Formation–managed resources. A principal is granted the necessary authorizations by the data lake administrator or another principal with the permissions to grant Lake Formation permissions.
When you grant a Lake Formation permission to a principal, you can optionally grant the ability to pass that permission to another principal. A principal with IAM administrative permissions—for example, with the AdministratorAccess AWS managed policy—has permissions to grant Lake Formation permissions and create data lake administrators. To deny a user or role access to Lake Formation administrator operations in your account, attach below SCP policy.
{
"Sid": "DenyLakeFormationAdministratorOperations",
"Effect": "Deny",
"Action": [
"lakeformation:GetDataLakeSettings",
"lakeformation:PutDataLakeSettings"
],
"Resource": [
"*"
]
}
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
User is not authorized to perform: lakeformation:PutDataLakeSettings on resource with an explicit deny.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
AWS Lake Formation
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
SCP to prevent deployment of Lambda functions outside VPC
Expected Outcome - Describe the solution you'd like
SCP Policy
Describe alternatives you've considered
Detective Control - AWS Managed Config Rule - lambda-inside-vpc
Affected AWS resource
AWS Lambda
Impact
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Supported material
NA
I can contribute: Yes
Additional context
NA
Pull Request number
NA
Use Case - Is your feature request related to a problem? Please describe.
Restrict creation of any new IAM users access keys to prohibit bypass of SSO and other controls
Expected Outcome - Describe the solution you'd like
An SCP which restricts IAM accesskey and user creation explicitly
Describe alternatives you've considered
This may be beneficial to combine with preventing other sensitive IAM actions, but is worthwhile to have this separately to control just access key and new user creation.
Affected AWS resource
IAM
Impact
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
N/A
I can contribute: Yes/No
Yes
Additional context
N/A
Pull Request number
#43
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Protect shield and shield resources.
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
"shield:DeleteProtection",
"shield:DeleteSubscription",
"shield:DisassociateDRTLogBucket",
"shield:DisassociateDRTRole",
"shield:UpdateEmergencyContactSettings"
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
The action organizations:RemoveAccountFromOrganization can only be performed by the organization master account.
SCPs do not apply to the Organization Master account.
Therefore this line in the SCP is misleading as it will not protect anything.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Restrict ec2 instance types that are allowed to be launched.
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
{
"Sid": "GuardEC2InstanceTypes",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
instance-types...
]
}
}
}
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Add SCP for preventing disabling Security Hub and leaving organization setup for member accounts in the AWS Organization
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
SCP which prevents securityhub:DisableSecurityHub and securityhub:DissociatefromMasterAccount , attached to the root of the organization
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
SecurityHub
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Medium
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Yes
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
13
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Deny EC2 public AMIs
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*::image/*"
],
"Condition": {
"Bool": {
"ec2:Public": "true"
}
}
}
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateFileSystem",
"Condition": {
"Bool": {
"elasticfilesystem:Encrypted": "true"
}
},
"Resource": "*"
}
]
}
https://docs.aws.amazon.com/efs/latest/ug/using-iam-to-enforce-encryption-at-rest.html
[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Ensure that S3 access point uses VPC value only (not Internet)
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
"s3:CreateAccessPoint",
"s3:PutAccessPointPolicy"
"arn:aws:s3:*:*:accesspoint/*"
s3:AccessPointNetworkOrigin=VPC
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
Users or threat actors should be prevented from disabling access-analyzer
Expected Outcome - Describe the solution you'd like
An SCP to prevent deletion of access-analyzer
Describe alternatives you've considered
N/A
Affected AWS resource
IAM Access Analyzer
Impact
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
N/A
I can contribute: Yes/No
Yes
Additional context
N/A
Pull Request number
Use Case - Is your feature request related to a problem? Please describe.
ec2:encrypted
volume
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
If you choose, you can make your unencrypted snapshots available publicly to all AWS users. You can't make your encrypted snapshots available publicly.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Require the use of IMDSv2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireImdsV2",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringNotEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
}
]
}
Specify maximum hop limit
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MaxImdsHopLimit",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"NumericGreaterThan": {
"ec2:MetadataHttpPutResponseHopLimit": "3"
}
}
}
]
}
Require role credentials to be retrieved from IMDSv2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireAllEc2RolesToUseV2",
"Effect": "Deny",
"Action": "",
"Resource": "",
"Condition": {
"NumericLessThan": {
"ec2:RoleDelivery": "2.0"
}
}
}
]
}
Limit who can modify the instance metadata options
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyImdsAdminsToModifySettings",
"Effect": "Deny",
"Action": "ec2:ModifyInstanceMetadataOptions",
"Resource": "",
"Condition": {
"StringNotLike": {
"aws:PrincipalARN": "arn:aws:iam:::role/ec2-imds-admins"
}
}
}
]
}
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
This SCP will enforce IMDSv2 to access instance metadata for an EC2 instance
Expected Outcome - Describe the solution you'd like
SCP Policy
Describe alternatives you've considered
Detective controls using AWS Config rule "ec2-imdsv2-check"
Affected AWS resource
AWS EC2
Impact
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Supported material
NA
I can contribute: Yes
Additional context
NA
Pull Request number
agopalun-enforce-IMDSv2-EC2 #36
Describe the bug
SCP-BILLING-1 uses deprecated aws-portal actions like aws-portal:ModifyBilling . This needs to be changed to the fine-grained controls post-migration. These are the new actions that are encompassed by the current SCP (there are a lot, so it may make more sense to just select the most critical ones):
[
"account:CloseAccount",
"account:DeleteAlternateContact",
"account:GetAccountInformation",
"account:PutAlternateContact",
"account:PutChallengeQuestions",
"account:PutContactInformation",
"billing:PutContractInformation",
"billing:RedeemCredits",
"billing:UpdateBillingPreferences",
"billing:UpdateIAMAccessPreference",
"ce:CreateAnomalyMonitor",
"ce:CreateAnomalySubscription",
"ce:CreateNotificationSubscription",
"ce:CreateReport",
"ce:DeleteAnomalyMonitor",
"ce:DeleteAnomalySubscription",
"ce:DeleteNotificationSubscription",
"ce:DeleteReport",
"ce:ProvideAnomalyFeedback",
"ce:StartSavingsPlansPurchaseRecommendationGeneration",
"ce:UpdateAnomalyMonitor",
"ce:UpdateAnomalySubscription",
"ce:UpdateCostAllocationTagsStatus",
"ce:UpdateNotificationSubscription",
"ce:UpdatePreferences",
"cur:PutClassicReportPreferences",
"freetier:PutFreeTierAlertPreference",
"invoicing:PutInvoiceEmailDeliveryPreferences",
"payments:CreatePaymentInstrument",
"payments:DeletePaymentInstrument",
"payments:MakePayment",
"payments:UpdatePaymentPreferences",
"tax:BatchPutTaxRegistration",
"tax:DeleteTaxRegistration",
"tax:PutTaxInheritance"
]Expected behavior
Use supported version of actions.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Deny creating EC2 SSH keys
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCreatingEC2SSHKeys",
"Effect": "Deny",
"Action": "ec2:CreateKeyPair",
"Resource": "arn:aws:ec2:::key-pair/*"
}
]
}
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
Vault Lock Policy that prevent Users from Deleting Glacier Archives Less Than 365 Days Old. Suppose that you have a regulatory requirement to retain archives for up to one year before you can delete them.
{
"Sid": "deny-based-on-archive-age",
"Principal": "*",
"Effect": "Deny",
"Action": "glacier:DeleteArchive",
"Resource": [
"arn:aws:glacier:us-west-2:123456789012:vaults/examplevault"
],
"Condition": {
"NumericLessThan" : {
"glacier:ArchiveAgeInDays" : "365"
}
}
}
Expected Outcome - Describe the solution you'd like
Deny deleting Glacier Archives Less Than 365 Days Old.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
Add SCP for preventing Deletion or Disassociation of Members and Invitations from Security Hub
Expected Outcome - Describe the solution you'd like
SCP which prevents:
Describe alternatives you've considered
First considered combining with existing PR #13 but this is likely better as a separate SCP as per @0xjjoyy
Affected AWS resource
SecurityHub
Impact
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
N/A
I can contribute: Yes/No
Yes
Additional context
None
Pull Request number
#40
Use Case - Is your feature request related to a problem? Please describe.
Prevent blocking assigning a public IPv4 address to an instance
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-network-iface-embedded.html#aws-properties-ec2-network-iface-embedded-associatepubip
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"Bool": {
"ec2:AssociatePublicIpAddress": "true"
}
}
}
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
rds encrypted storage for create db instance and cluster
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDS",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance"
],
"Resource": [
"*"
],
"Condition": {
"Bool": {
"rds:StorageEncrypted": "false"
}
}
},
{
"Sid": "StatementForAurora",
"Effect": "Deny",
"Action": [
"rds:CreateDBCluster"
],
"Resource": [
"*"
],
"Condition": {
"Bool": {
"rds:StorageEncrypted": "false"
}
}
}
]
}
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
Use Case - Is your feature request related to a problem? Please describe.
Protect rds resources from being deleted
[RDS.8] RDS DB instances should have deletion protection enabled
Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Affected AWS resource
Mention the AWS resources which is affected
Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way
Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue
I can contribute: Yes/No
If you are able to contribute towards resolving this request.
Additional context
Add any other context or screenshots about the feature request here.
Pull Request number
If a pull request has already been created.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.