Update network_perimeter_sourcevpc_rcp.json

SwaraGandhi · web-flow · commit 61d7f4f0fcf3 · 2026-01-29T12:36:55.000-05:00
diff --git a/resource_control_policies/network_perimeter_sourcevpc_rcp.json b/resource_control_policies/network_perimeter_sourcevpc_rcp.json
@@ -1,80 +1,106 @@
 {
-   "Version":"2012-10-17",
-   "Statement":[
-      {
-         "Sid":"EnforceNetworkPerimeterSourceVPC",
-         "Effect":"Deny",
-         "Principal":"*",
-         "Action":[
-            "sqs:*",
-            "secretsmanager:*",
-            "sts:AssumeRole",
-            "sts:DecodeAuthorizationMessage",
-            "sts:GetAccessKeyInfo",
-            "sts:GetFederationToken",
-            "sts:GetServiceBearerToken",
-            "sts:GetSessionToken",
-            "sts:SetContext",
-            "aoss:*",
-            "ecr:*"
-         ],
-         "Resource":"*",
-         "Condition":{
-            "NotIpAddressIfExists":{
-               "aws:SourceIp":"<my-corporate-cidr>"
-            },
-            "StringNotEqualsIfExists":{
-               "aws:SourceVpc":"<my-vpc>",
-               "aws:PrincipalTag/dp:exclude:network":"true",
-               "aws:PrincipalAccount":[
-                  "<load-balancing-account-id>",
-                  "<fin-space-account-id>",
-                  "<third-party-account-a>",
-                  "<third-party-account-b>"
-               ],
-               "aws:ResourceTag/dp:exclude:network":"true"
-            },
-            "BoolIfExists":{
-               "aws:PrincipalIsAWSService":"false",
-               "aws:ViaAWSService":"false"
-            },
-            "ArnNotLikeIfExists":{
-               "aws:PrincipalArn":[
-                  "arn:aws:iam::*:role/aws:ec2-infrastructure"
-               ]
-            },
-            "StringEquals":{
-               "aws:PrincipalTag/dp:include:network":"true"
-            }
-         }
-      },
-      {
-         "Sid":"SourceVPCRegion",
-         "Effect":"Deny",
-         "Action":"*",
-         "Resource":"*",
-         "Condition":{
-            "StringEquals":{
-               "aws:SourceVpc":"<my-vpc-in-this-region>"
-            },
-            "StringNotEqualsIfExists":{
-               "aws:RequestedRegion":"<my-vpc-region>"
-            }
-         }
-      },
-      {
-         "Sid":"SourceVPCRegion2",
-         "Effect":"Deny",
-         "Action":"*",
-         "Resource":"*",
-         "Condition":{
-            "StringEquals":{
-               "aws:SourceVpc":"<my-vpc-in-this-region>"
-            },
-            "StringNotEqualsIfExists":{
-               "aws:RequestedRegion":"<my-vpc-region-2>"
-            }
-         }
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "EnforceNetworkPerimeterSourceVPC",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": [
+        "sqs:*",
+        "secretsmanager:*",
+        "sts:AssumeRole",
+        "sts:DecodeAuthorizationMessage",
+        "sts:GetAccessKeyInfo",
+        "sts:GetFederationToken",
+        "sts:GetServiceBearerToken",
+        "sts:GetSessionToken",
+        "sts:SetContext",
+        "aoss:*",
+        "ecr:*"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "NotIpAddressIfExists": {
+          "aws:SourceIp": "<my-corporate-cidr>"
+        },
+        "StringNotEqualsIfExists": {
+          "aws:SourceVpc": "<my-vpc>",
+          "aws:PrincipalTag/dp:exclude:network": "true",
+          "aws:PrincipalAccount": [
+            "<load-balancing-account-id>",
+            "<fin-space-account-id>",
+            "<third-party-account-a>",
+            "<third-party-account-b>"
+          ],
+          "aws:ResourceTag/dp:exclude:network": "true"
+        },
+        "BoolIfExists": {
+          "aws:PrincipalIsAWSService": "false",
+          "aws:ViaAWSService": "false"
+        },
+        "ArnNotLikeIfExists": {
+          "aws:PrincipalArn": [
+            "arn:aws:iam::*:role/aws:ec2-infrastructure"
+          ]
+        },
+        "StringEquals": {
+          "aws:PrincipalTag/dp:include:network": "true"
+        }
       }
-   ]
-}
+    },
+    {
+      "Sid": "SourceVPCRegion",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": [
+        "sqs:*",
+        "secretsmanager:*",
+        "sts:AssumeRole",
+        "sts:DecodeAuthorizationMessage",
+        "sts:GetAccessKeyInfo",
+        "sts:GetFederationToken",
+        "sts:GetServiceBearerToken",
+        "sts:GetSessionToken",
+        "sts:SetContext",
+        "aoss:*",
+        "ecr:*"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "aws:SourceVpc": "<my-vpc-in-this-region>"
+        },
+        "StringNotEqualsIfExists": {
+          "aws:RequestedRegion": "<my-vpc-region>"
+        }
+      }
+    },
+    {
+      "Sid": "SourceVPCRegion2",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": [
+        "sqs:*",
+        "secretsmanager:*",
+        "sts:AssumeRole",
+        "sts:DecodeAuthorizationMessage",
+        "sts:GetAccessKeyInfo",
+        "sts:GetFederationToken",
+        "sts:GetServiceBearerToken",
+        "sts:GetSessionToken",
+        "sts:SetContext",
+        "aoss:*",
+        "ecr:*"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "aws:SourceVpc": "<my-vpc-in-this-region>"
+        },
+        "StringNotEqualsIfExists": {
+          "aws:RequestedRegion": "<my-vpc-region-2>"
+        }
+      }
+    }
+  ]
+}
