Expanding service specific guidance to include 10 additional services

Author: nitinkul1

service_control_policies/service_specific_controls/README.md

@@ -126,6 +126,15 @@ This statement is included in the [restrict_untrusted_endpoints_scp](restrict_un
 
 This statement is included in the [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) and prevents Step Functions from invoking HTTPS APIs that don't belong to your organization. See [IAM permissions to run an HTTP Task](https://docs.aws.amazon.com/step-functions/latest/dg/call-https-apis.html#connect-http-task-permissions) for more details.
 
+### "Sid": "PreventUntrustedSESv1Emails"
+This statement is included in the [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) to restrict Simple Email Service from sending emails to addresses external to your organization. See [Conditions specific to sending authorization](https://docs.aws.amazon.com/ses/latest/dg/sending-authorization-policy-examples.html#sending-authorization-policy-conditions) for more details.
+
+### "Sid": "PreventUntrustedSESv2Emails"
+This statement is included in the [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) to restrict Simple Email Service API V2 (sesv2) from sending emails to addresses external to your organization. See [Conditions specific to sending authorization](https://docs.aws.amazon.com/ses/latest/dg/sending-authorization-policy-examples.html#sending-authorization-policy-conditions) for more details.
+
+### "Sid": "PreventUntrustedSESVerificationEmails"
+This statement is included in the [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) to restrict access to ses:SendCustomVerificationEmail using aws:PrincipalTag condition key as ses:Recipients condition doesnt apply to ses:SendCustomVerificationEmail
+
 ### "Sid": "PreventCreationOfServicePresignedURL"
 
 This statement is included in the [restrict_presignedURL_scp](restrict_presignedURL_scp.json) and prevents users from making API requests that return Amazon S3 presigned URLs that are presigned by a service principal.

service_control_policies/service_specific_controls/restrict_presignedURL_scp.json

@@ -7,7 +7,12 @@
       "Action": [
         "ecr:GetDownloadUrlForLayer",
         "lambda:GetFunction",
-        "ssm:GetDeployablePatchSnapshotForInstance"
+        "ssm:GetDeployablePatchSnapshotForInstance",
+        "lex:CreateUploadUrl",
+        "lex:DescribeExport",
+        "serverlessrepo:CreateCloudFormationTemplate",
+        "serverlessrepo:GetApplication",
+        "serverlessrepo:GetCloudFormationTemplate"
       ],
       "Resource": "*",
       "Condition": {

service_control_policies/service_specific_controls/restrict_resource_policy_configurations_scp.json

@@ -15,7 +15,11 @@
         "lambda:AddPermission",
         "logs:PutResourcePolicy",
         "logs:PutDestinationPolicy",
-        "sns:AddPermission"
+        "sns:AddPermission",
+        "lex:CreateResourcePolicy",
+        "lex:UpdateResourcePolicy",
+        "schemas:PutResourcePolicy",
+        "serverlessrepo:PutApplicationPolicy"
       ],
       "Resource": "*",
       "Condition": {

service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json

@@ -1,56 +1,114 @@
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "PreventUntrustedSNSEmailSubscriptions",
-      "Effect": "Deny",
-      "Action": [
-        "sns:Subscribe"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "sns:Protocol": "email"
-        },
-        "StringNotLike": {
-          "sns:Endpoint": "*@<trusted_email_domain>"
-        },
-        "StringNotEqualsIfExists": {
-          "aws:PrincipalTag/dp:exclude:resource": "true"
-        }
+   "Version": "2012-10-17",
+   "Statement": [
+      {
+         "Sid": "PreventUntrustedSNSEmailSubscriptions",
+         "Effect": "Deny",
+         "Action": [
+            "sns:Subscribe"
+         ],
+         "Resource": "*",
+         "Condition": {
+            "StringEquals": {
+               "sns:Protocol": "email"
+            },
+            "StringNotLike": {
+               "sns:Endpoint": "*@<trusted_email_domain>"
+            },
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude:resource": "true"
+            }
+         }
+      },
+      {
+         "Sid": "PreventEventBridgeAPIDestinations",
+         "Effect": "Deny",
+         "Action": [
+            "events:PutTargets"
+         ],
+         "Resource": "*",
+         "Condition": {
+            "ForAnyValue:ArnLike": {
+               "events:TargetArn": "arn:aws:events:*:*:api-destination/*"
+            },
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude:resource": "true"
+            }
+         }
+      },
+      {
+         "Sid": "PreventUntrustedStepFunctionsHTTPSAPI",
+         "Effect": "Deny",
+         "Action": [
+            "states:InvokeHTTPEndpoint"
+         ],
+         "Resource": "*",
+         "Condition": {
+            "StringNotLike": {
+               "states:HTTPEndpoint": "<trusted_https_endpoint>"
+            },
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude:resource": "true"
+            }
+         }
+      },
+      {
+         "Sid": "PreventUntrustedSESv1Emails",
+         "Effect": "Deny",
+         "Action": [
+            "ses:SendBulkTemplatedEmail",
+            "ses:SendEmail",
+            "ses:SendRawEmail",
+            "ses:SendTemplatedEmail"
+         ],
+         "Resource": "*",
+         "Condition": {
+            "ForAnyValue:StringNotLike": {
+               "ses:Recipients": [
+                  "*@<trusted_email_domain>"
+               ]
+            },
+            "StringEquals": {
+               "ses:ApiVersion": "1"
+            },
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude:resource": "true"
+            }
+         }
+      },
+      {
+         "Sid": "PreventUntrustedSESv2Emails",
+         "Effect": "Deny",
+         "Action": [
+            "ses:SendEmail"
+         ],
+         "Resource": "*",
+         "Condition": {
+            "ForAnyValue:StringNotLike": {
+               "ses:Recipients": [
+                  "*@<trusted_email_domain>"
+               ]
+            },
+            "StringEquals": {
+               "ses:ApiVersion": "2"
+            },
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude:resource": "true"
+            }
+         }
+      },
+      {
+         "Sid": "PreventUntrustedSESVerificationEmails",
+         "Effect": "Deny",
+         "Action": [
+            "ses:SendCustomVerificationEmail"
+         ],
+         "Resource": "*",
+         "Condition": {
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude:resource": "true"
+            }
+         }
       }
-    },
-    {
-      "Sid": "PreventEventBridgeAPIDestinations",
-      "Effect": "Deny",
-      "Action": [
-        "events:PutTargets"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "ForAnyValue:ArnLike": {
-          "events:TargetArn": "arn:aws:events:*:*:api-destination/*"
-        },
-        "StringNotEqualsIfExists": {
-          "aws:PrincipalTag/dp:exclude:resource": "true"
-        }
-      }
-    },
-    {
-      "Sid": "PreventUntrustedStepFunctionsHTTPSAPI",
-      "Effect": "Deny",
-      "Action": [
-        "states:InvokeHTTPEndpoint"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringNotLike": {
-          "states:HTTPEndpoint": "<trusted_https_endpoint>"
-        },
-        "StringNotEqualsIfExists": {
-          "aws:PrincipalTag/dp:exclude:resource": "true"
-        }
-      }
-    }
-  ]
+   ]
 }