Addressing feedback and removing PutSubscriptionFilter from the governance scp

Author: tatyatsk

service_control_policies/README.md

@@ -129,9 +129,9 @@ This statement is included in the [data_perimeter_governance_scp](data_perimeter
 
 [Some AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html#shareable-r53.) allow cross-account sharing via AWS RAM instead of resource-based policies. By default, AWS RAM shares allow sharing outside of an Organizations organization. You can explicitly [restrict sharing of resources outside of AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) and then limit AWS RAM actions based on this configuration.
 
-### "Sid":"PreventExternalResourceShare" and "Sid": "PreventExternalResourceShareKMS"
+### "Sid":"PreventExternalResourceShare"
 
-These statements are included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restrict resource sharing by capabilities that are embedded into services.
+This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restricts resource sharing by capabilities that are embedded into services.
 
 Some AWS services use neither resource-based policies nor AWS RAM.
 
@@ -149,7 +149,6 @@ Example data access patterns:
 * [AWS Directory Service directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html): You can share a directory with other accounts with the `ShareDirectory` API.
 * [AWS Direct Connect gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/multi-account-associate-vgw.html): You can associate a Direct Connect gateway with a virtual private gateway that is owned by another AWS account with the `CreateDirectConnectGatewayAssociationProposal` API.
 * [Amazon Detective graph](https://docs.aws.amazon.com/detective/latest/userguide/accounts.html): A Detective administrator account can invite other accounts to join a behavior graph with the `CreateMembers` API.
-* [Amazon CloudWatch Logs subscription filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html): You can send CloudWatch Logs to cross-account destinations with the `PutSubscriptionFilter` API.
 * [AWS Glue Data Catalog](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-catalog-perms-TBAC.html) databases: You can grant data catalog permissions to another account by using the AWS Lake Formation tag-based access control method with the `GrantPermissions` and `BatchGrantPermissions` APIs.
 * [Amazon AppStream 2.0 image](https://docs.aws.amazon.com/appstream2/latest/developerguide/administer-images.html#share-image-with-another-account): You can share an Amazon AppStream 2.0 image that you own with other accounts with the `UpdateImagePermissions` API.
 * [Amazon Macie member accounts](https://docs.aws.amazon.com/macie/latest/user/accounts-mgmt-invitations-administer.html): You can add member accounts to your Macie administrator account with the `CreateInvitations` API.
@@ -166,7 +165,11 @@ Example data access patterns:
 * [AWS Cloud9 shared environment](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html): You can share AWS Cloud9 development environment with users from other accounts with the `CreateEnvironmentMembership` API.
 * [Amazon Connect dataset](https://docs.aws.amazon.com/connect/latest/APIReference/API_BatchAssociateAnalyticsDataSet.html#connect-BatchAssociateAnalyticsDataSet-request-DataSetIds): You can associate a list of Amazon Connect instance analytics datasets to a target account using `BatchAssociateAnalyticsDataSet` API.
 * [Amazon Redshift Serverless snapshot](https://docs.aws.amazon.com/redshift-serverless/latest/APIReference/API_PutResourcePolicy.html): You can share snapshots across AWS accounts using `PutResourcePolicy` API.
-* [AWS KMS grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html): The `CreateGrant` API allows you to add a grant for another account to use your KMS key.
+
+### "Sid": “RestrictKMSGrantsCreationToAWSServices”
+This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restricts creation of [AWS KMS grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to administrators and AWS services only.
+
+The `CreateGrant` API allows you to add a grant for another account to use your KMS key. Use this statement to help ensure that only trusted identities can view information about your keys.
 
 ### "Sid":"ProtectActionsNotSupportedByPrimaryDPControls"
 

service_control_policies/data_perimeter_governance_scp.json

@@ -37,7 +37,6 @@
             "ds:ShareDirectory",
             "directconnect:CreateDirectConnectGatewayAssociationProposal",
             "detective:CreateMembers",
-            "logs:PutSubscriptionFilter",
             "lakeformation:GrantPermissions",
             "lakeformation:BatchGrantPermissions",
             "appstream:UpdateImagePermissions",
@@ -66,7 +65,7 @@
          }
       },
       {
-         "Sid": "PreventExternalResourceShareKMS",
+         "Sid": "RestrictKMSGrantsCreationToAWSServices",
          "Effect": "Deny",
          "Action": "kms:CreateGrant",
          "Resource": "*",

service_control_policies/service_specific_controls/README.md

@@ -100,7 +100,7 @@ This statement is included in the [restrict_untrusted_endpoints_scp](restrict_un
 
 ### "Sid": "PreventCreationOfServicePresignedURL"
 
-This statement is included in the [restrict_presignedURL_scp](restrict_presignedURL_scp.json) and prevents users from creating Amazon S3 presigned URLs that are presigned by a service principal.
+This statement is included in the [restrict_presignedURL_scp](restrict_presignedURL_scp.json) and prevents users from making API requests that return Amazon S3 presigned URLs that are presigned by a service principal.
 
 ### "Sid": "PreventResourcePolicyConfigurations"
 

service_specific_guidance/config-specific-guidance.md

@@ -28,7 +28,7 @@ Perimeter type applicability: identity perimeter applied on resource; resource p
 
 PutConfigurationAggregator allows you to add another account to your aggregator.
 
-See ["Sid":"PreventExternalResourceShare"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies#sidpreventexternalresourceshare-sidpreventexternalresourcesharekms) for a list of resources that can be granted cross-account access.
+See ["Sid":"PreventExternalResourceShare"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies#sidpreventexternalresourceshare) for a list of resources that can be granted cross-account access.
 
 If you want to restrict access so that only trusted identities can take actions against your resources, consider implementing these additional controls:
 
@@ -94,7 +94,7 @@ Perimeter type applicability: identity perimeter applied on resource; resource p
 
 PutAggregationAuthorization allows you to authorize another account to collect data from your account
 
-See ["Sid":"PreventExternalResourceShare"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies#sidpreventexternalresourceshare-sidpreventexternalresourcesharekms) for a list of resources that can be granted cross-account access.
+See ["Sid":"PreventExternalResourceShare"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies#sidpreventexternalresourceshare) for a list of resources that can be granted cross-account access.
 
 If you want to restrict access so that only trusted identities can take actions against your resources, consider implementing these additional controls:
 

service_specific_guidance/kms-specific-guidance.md

@@ -28,8 +28,6 @@ Perimeter type applicability: identity perimeter applied on resource; resource p
 
 CreateGrant allows you to create a grant for another account.
 
-See ["Sid":"PreventExternalResourceShareKMS"](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/service_control_policies#sidpreventexternalresourceshare-sidpreventexternalresourcesharekms) for a list of resources that can be granted cross-account access.
-
 If you want to restrict access so that only trusted identities can view information about your resources, consider implementing these additional controls:
 
 * **Preventative control example 1:** Consider implementing `aws:PrincipalOrgID` in an RCP to restrict service API calls so that your resources can only be accessed by trusted identities. See [identity_perimeter_rcp.json](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/resource_control_policies/identity_perimeter_rcp.json) for an example policy.