Adding service-specific guidance for sns, logs, s3

Author: tatyatsk

README.md

@@ -18,7 +18,7 @@ RCPs are a type of [AWS Organizations](https://aws.amazon.com/organizations/) or
 
 This folder contains examples of RCPs that help enforce identity and network perimeter controls on [services supported by RCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-supported-services). This folder also includes policy examples you can implement as [resource-based policies](resource_based_policies) for select services that are not supported by RCPs.
 
-These examples do not represent a complete list of valid data access patterns, and they are intended for you to tailor and extend them to suit the needs of your environment. See [Tagging conventions](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main?tab=readme-ov-file#tagging-conventions) used in the policy examples to control the scope of data perimeter guardrails. You can also use the `NotResource` IAM policy element to exclude specific resources from the controls.
+These examples do not represent a complete list of valid data access patterns, and they are intended for you to tailor and extend them to suit the needs of your environment. See [Tagging conventions](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main?tab=readme-ov-file#tagging-conventions-and-governance) used in the policy examples to control the scope of data perimeter guardrails. You can also use the `NotResource` IAM policy element to exclude specific resources from the controls.
 
 Use the following RCP examples individually or in combination:
 * [identity_perimeter_rcp](identity_perimeter_rcp.json) – Enforces identity perimeter controls on resources within your Organizations organization.

resource_control_policies/README.md

@@ -129,9 +129,9 @@ This statement is included in the [data_perimeter_governance_scp](data_perimeter
 
 [Some AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html#shareable-r53.) allow cross-account sharing via AWS RAM instead of resource-based policies. By default, AWS RAM shares allow sharing outside of an Organizations organization. You can explicitly [restrict sharing of resources outside of AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) and then limit AWS RAM actions based on this configuration.
 
-### "Sid":"PreventExternalResourceShare"
+### "Sid":"PreventExternalResourceShare" and "Sid": "PreventExternalResourceShareKMS"
 
-This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restricts resource sharing by capabilities that are embedded into services.
+These statements are included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restrict resource sharing by capabilities that are embedded into services.
 
 Some AWS services use neither resource-based policies nor AWS RAM.
 
@@ -166,6 +166,7 @@ Example data access patterns:
 * [AWS Cloud9 shared environment](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html): You can share AWS Cloud9 development environment with users from other accounts with the `CreateEnvironmentMembership` API.
 * [Amazon Connect dataset](https://docs.aws.amazon.com/connect/latest/APIReference/API_BatchAssociateAnalyticsDataSet.html#connect-BatchAssociateAnalyticsDataSet-request-DataSetIds): You can associate a list of Amazon Connect instance analytics datasets to a target account using `BatchAssociateAnalyticsDataSet` API.
 * [Amazon Redshift Serverless snapshot](https://docs.aws.amazon.com/redshift-serverless/latest/APIReference/API_PutResourcePolicy.html): You can share snapshots across AWS accounts using `PutResourcePolicy` API.
+* [AWS KMS grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html): The `CreateGrant` API allows you to add a grant for another account to use your KMS key.
 
 ### "Sid":"ProtectActionsNotSupportedByPrimaryDPControls"
 

service_control_policies/README.md

@@ -65,6 +65,21 @@
             }
          }
       },
+      {
+         "Sid": "PreventExternalResourceShareKMS",
+         "Effect": "Deny",
+         "Action": "kms:CreateGrant",
+         "Resource": "*",
+         "Condition": {
+            "BoolIfExists": {
+               "kms:GrantIsForAWSResource": "false",
+               "aws:PrincipalIsAWSService": "false"
+            },
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude:identity": "true"
+            }
+         }
+      },
       {
          "Sid": "ProtectActionsNotSupportedByPrimaryDPControls",
          "Effect": "Deny",
@@ -101,20 +116,20 @@
          }
       },
       {
-         "Sid":"PreventLambdaFunctionURLAuthNone",
-         "Effect":"Deny",
-         "Action":[
+         "Sid": "PreventLambdaFunctionURLAuthNone",
+         "Effect": "Deny",
+         "Action": [
             "lambda:AddPermission",
             "lambda:UpdateFunctionUrlConfig",
             "lambda:CreateFunctionUrlConfig"
          ],
-         "Resource":"*",
-         "Condition":{
-            "StringNotEqualsIfExists":{
+         "Resource": "*",
+         "Condition": {
+            "StringNotEqualsIfExists": {
                "aws:PrincipalTag/dp:exclude:identity": "true"
             },
             "StringEquals": {
-               "lambda:FunctionUrlAuthType" : "NONE"
+               "lambda:FunctionUrlAuthType": "NONE"
             }
          }
       },
@@ -136,4 +151,4 @@
          }
       }
    ]
-}
+}

service_control_policies/data_perimeter_governance_scp.json

@@ -8,13 +8,14 @@ This folder contains examples of SCPs with service-specific controls you might w
 
 Use the following example SCPs individually or in combination:
 
-* [network_perimeter_ec2_scp](/service_control_policies/service_specific_controls/network_perimeter_ec2_scp.json) – Enforces network perimeter controls on service roles used by Amazon EC2 instances.
-* [network_perimeter_iam_users_scp](/service_control_policies/service_specific_controls/network_perimeter_iam_users_scp.json) - Enforces network perimeter controls on IAM users with long-term access keys.
-* [network_perimeter_lambda_scp](/service_control_policies/service_specific_controls/network_perimeter_lambda_scp.json) - Enforces network perimeter controls on service roles used by AWS Lambda.
-* [restrict_nonvpc_deployment_scp](/service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json) - Enforces deployment of resources in a customer managed Amazon VPC.
-* [restrict_idp_configurations_scp](/service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json) - Restricts the ability to make configuration changes to the IAM SAML identity providers.
-* [restrict_untrusted_endpoints_scp](/service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json) - Prevent untrusted non-AWS resources from being configured as targets for service operations.
-* [restrict_presignedURL_scp](service_control_policies/service_specific_controls/restrict_presignedURL_scp.json) - Restricts the ability to create Amazon S3 presigned URLs within specific services.
+* [network_perimeter_ec2_scp](network_perimeter_ec2_scp.json) – Enforces network perimeter controls on service roles used by Amazon EC2 instances.
+* [network_perimeter_iam_users_scp](network_perimeter_iam_users_scp.json) - Enforces network perimeter controls on IAM users with long-term access keys.
+* [network_perimeter_lambda_scp](network_perimeter_lambda_scp.json) - Enforces network perimeter controls on service roles used by AWS Lambda.
+* [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) - Enforces deployment of resources in a customer managed Amazon VPC.
+* [restrict_idp_configurations_scp](restrict_idp_configurations_scp.json) - Restricts the ability to make configuration changes to the IAM SAML identity providers.
+* [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) - Prevent untrusted non-AWS resources from being configured as targets for service operations.
+* [restrict_presignedURL_scp](restrict_presignedURL_scp.json) - Restricts actions that create Amazon S3 presigned URLs that are presigned by a service principal.
+* [restrict_resource_policy_configurations_scp](restrict_resource_policy_configurations_scp.json) - Restricts the ability to configure resource-based policies.
 
 Note that the SCP examples in this repository use a [deny list strategy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html), which means that you also need a FullAWSAccess policy or other policy attached to your AWS Organizations organization entities to allow actions. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies.
 
@@ -75,28 +76,32 @@ This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonv
 
 AWS services such as AWS CodeStar Connections do not support deployment within a VPC and provide direct access to the internet that is not controlled by your VPC. You can block the use of such services by using SCPs or implementing your own proxy solution to inspect egress traffic.
 
-### "Sid":"PreventNonVPCDeploymentSageMaker", "Sid":"PreventNonVPCDeploymentGlueJob", "Sid":"PreventNonVPCDeploymentCloudShell", and "Sid":"PreventNonVPCDeploymentLambda", "Sid":"PreventNonVPCDeploymentAppRunner"
+### "Sid":"PreventNonVPCDeploymentSageMaker", "Sid":"PreventNonVPCDeploymentGlueJob", "Sid":"PreventNonVPCDeploymentCloudShell", "Sid":"PreventNonVPCDeploymentLambda", "Sid":"PreventNonVPCDeploymentAppRunner", and "Sid":"PreventNonVPCDeploymentCodeBuild"
 
-These statements are included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and explicitly deny relevant [Amazon SageMaker](https://aws.amazon.com/sagemaker/), [AWS Glue](https://aws.amazon.com/glue/), [AWS CloudShell](https://aws.amazon.com/cloudshell/), [AWS Lambda](https://aws.amazon.com/lambda/), and [AWS AppRunner](https://aws.amazon.com/apprunner/) operations unless they have VPC configurations specified in the requests. Use these statements to enforce deployment in a VPC for these services.
+These statements are included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and explicitly deny relevant [Amazon SageMaker](https://aws.amazon.com/sagemaker/), [AWS Glue](https://aws.amazon.com/glue/), [AWS CloudShell](https://aws.amazon.com/cloudshell/), [AWS Lambda](https://aws.amazon.com/lambda/), [AWS AppRunner](https://aws.amazon.com/apprunner/), and [AWS CodeBuild](https://aws.amazon.com/codebuild/) operations unless they have VPC configurations specified in the requests. Use these statements to enforce deployment in a VPC for these services.
 
 Services such as Lambda, AWS Glue, CloudShell, App Runner, and SageMaker support different deployment models. For example, [Amazon SageMaker Studio](https://aws.amazon.com/pm/sagemaker/) and [SageMaker notebook instances](https://docs.aws.amazon.com/sagemaker/latest/dg/nbi.html) allow direct internet access by default. However, they provide you with the capability to configure them to run within your VPC so that you can inspect requests by using VPC endpoint policies (against identity and resource perimeter controls) and enforce the network perimeter.
 
 
 ### "Sid": "PreventNonVpcOnlySageMakerDomain"
 
-This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and prevents users from creating [Amazon SageMaker domains](https://docs.aws.amazon.com/sagemaker/latest/dg/sm-domain.html) that can access the internet through a VPC managed by SageMaker, or updating SageMaker domains to allow access to the internet through a VPC managed by SageMaker.    
+This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and prevents users from creating [Amazon SageMaker domains](https://docs.aws.amazon.com/sagemaker/latest/dg/sm-domain.html) that can access the Internet through a VPC managed by SageMaker, or updating SageMaker domains to allow access to the Internet through a VPC managed by SageMaker.    
 For more details, see the definition of the parameter [`AppNetworkAccessType`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html#sagemaker-UpdateDomain-request-AppNetworkAccessType) in the Amazon SageMaker API Reference.
 
 
 ### "Sid": "PreventDirectInternetAccessSageMakerNotebook"
 
-This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and prevents users from creating [Amazon SageMaker Notebooks Instances](https://docs.aws.amazon.com/sagemaker/latest/dg/nbi.html) that can access the internet through a VPC managed by SageMaker.        
+This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and prevents users from creating [Amazon SageMaker Notebooks Instances](https://docs.aws.amazon.com/sagemaker/latest/dg/nbi.html) that can access the Internet through a VPC managed by SageMaker.        
 For more details, see [Connect a Notebook Instance in a VPC to External Resources](https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html) in the Amazon SageMaker documentation.
 
 ### "Sid": "PreventUntrustedSNSEmailSubscriptions"
 
-This statement is included in the [restrict_sns_subscription_scp](/service_control_policies/service_specific_controls/restrict_sns_subscription_scp.json) and prevents users from subscribing email addresses that belong to domains other than the one denoted by <trusted_email_domain> to an SNS topic. See [Amazon SNS policy keys](https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#sns-policy-keys) for more details.
+This statement is included in the [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) and prevents users from subscribing email addresses that belong to domains other than the one denoted by `<trusted_email_domain>` to an SNS topic. See [Amazon SNS policy keys](https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#sns-policy-keys) for more details.
 
 ### "Sid": "PreventCreationOfServicePresignedURL"
 
-This statement is included in the [restrict_presignedURL_scp](service_control_policies/service_specific_controls/restrict_presignedURL_scp.json) and prevents users from creating Amazon S3 presigned URLs within specific services.
+This statement is included in the [restrict_presignedURL_scp](restrict_presignedURL_scp.json) and prevents users from creating Amazon S3 presigned URLs that are presigned by a service principal.
+
+### "Sid": "PreventResourcePolicyConfigurations"
+
+This statement is included in the [restrict_resource_policy_configurations_scp](restrict_resource_policy_configurations_scp.json) and prevents users from configuring resource-based policies for select services.

service_control_policies/service_specific_controls/README.md

@@ -15,9 +15,9 @@
          }
       },
       {
-         "Sid":"PreventNonVPCDeploymentSageMaker",
-         "Effect":"Deny",
-         "Action":[
+         "Sid": "PreventNonVPCDeploymentSageMaker",
+         "Effect": "Deny",
+         "Action": [
             "sagemaker:CreateAutoMLJob",
             "sagemaker:CreateAutoMLJobV2",
             "sagemaker:CreateCluster",
@@ -35,13 +35,13 @@
             "sagemaker:UpdateDomain",
             "sagemaker:UpdateMonitoringSchedule"
          ],
-         "Resource":"*",
-         "Condition":{
+         "Resource": "*",
+         "Condition": {
             "StringNotEqualsIfExists": {
                "aws:PrincipalTag/dp:exclude": "true"
             },
-            "Null":{
-               "sagemaker:VpcSubnets":"true"
+            "Null": {
+               "sagemaker:VpcSubnets": "true"
             }
          }
       },
@@ -52,8 +52,8 @@
             "sagemaker:CreateDomain",
             "sagemaker:UpdateDomain"
          ],
-        "Resource": "*",
-        "Condition": {
+         "Resource": "*",
+         "Condition": {
             "StringNotEqualsIfExists": {
                "aws:PrincipalTag/dp:exclude": "true",
                "sagemaker:AppNetworkAccessType": "VpcOnly"
@@ -66,8 +66,8 @@
          "Action": [
             "sagemaker:CreateNotebookInstance"
          ],
-        "Resource": "*",
-        "Condition": {
+         "Resource": "*",
+         "Condition": {
             "StringEquals": {
                "sagemaker:DirectInternetAccess": "Enabled"
             },
@@ -77,24 +77,24 @@
          }
       },
       {
-         "Sid":"PreventNonVPCDeploymentLambda",
-         "Effect":"Deny",
-         "Action":[
+         "Sid": "PreventNonVPCDeploymentLambda",
+         "Effect": "Deny",
+         "Action": [
             "lambda:CreateFunction",
             "lambda:UpdateFunctionConfiguration"
          ],
-         "Resource":"*",
-         "Condition":{
+         "Resource": "*",
+         "Condition": {
             "StringNotEqualsIfExists": {
                "aws:PrincipalTag/dp:exclude": "true"
             },
-            "Null":{
-               "lambda:VpcIds":"true"
+            "Null": {
+               "lambda:VpcIds": "true"
             }
          }
       },
       {
-         "Sid":"PreventNonVPCDeploymentGlueJob",
+         "Sid": "PreventNonVPCDeploymentGlueJob",
          "Effect": "Deny",
          "Action": [
             "glue:CreateJob",
@@ -117,7 +117,7 @@
          ],
          "Effect": "Deny",
          "Resource": "*",
-         "Condition": {   
+         "Condition": {
             "StringNotEqualsIfExists": {
                "aws:PrincipalTag/dp:exclude": "true"
             },
@@ -134,14 +134,33 @@
             "apprunner:UpdateService"
          ],
          "Resource": "*",
-         "Condition": {   
+         "Condition": {
             "StringNotEqualsIfExists": {
                "aws:PrincipalTag/dp:exclude": "true"
             },
             "Null": {
                "apprunner:VpcConnectorArn": "true"
             }
          }
+      },
+      {
+         "Sid": "PreventNonVPCDeploymentCodeBuild",
+         "Effect": "Deny",
+         "Action": [
+            "codebuild:CreateProject",
+            "codebuild:UpdateProject",
+            "codebuild:CreateFleet",
+            "codebuild:UpdateFleet"
+         ],
+         "Resource": "*",
+         "Condition": {
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude": "true"
+            },
+            "Null": {
+               "codebuild:vpcConfig": "true"
+            }
+         }
       }
    ]
-}
+}

service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json

@@ -0,0 +1,27 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "PreventResourcePolicyConfigurations",
+      "Effect": "Deny",
+      "Action": [
+        "codeartifact:PutRepositoryPermissionsPolicy",
+        "codeartifact:PutDomainPermissionsPolicy",
+        "codebuild:PutResourcePolicy",
+        "dynamodb:PutResourcePolicy",
+        "glacier:SetVaultAccessPolicy",
+        "lambda:AddLayerVersionPermission",
+        "lambda:AddPermission",
+        "logs:PutResourcePolicy",
+        "logs:PutDestinationPolicy",
+        "sns:AddPermission"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringNotEqualsIfExists": {
+          "aws:PrincipalTag/dp:exclude:identity": "true"
+        }
+      }
+    }
+  ]
+}