Skip to content

Commit bcd89b6

Browse files
tatyatsktatyatsk
committed
updating VPCE policy findings and other minot edits after final review
1 parent 4ea9d22 commit bcd89b6

25 files changed

Lines changed: 1970 additions & 2075 deletions

service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,7 @@
158158
"aws:PrincipalTag/dp:exclude": "true"
159159
},
160160
"Null": {
161-
"codebuild:vpcConfig": "true"
161+
"codebuild:vpcConfig.vpcId": "true"
162162
}
163163
}
164164
}

service_specific_guidance/accessanalyzer-specific-guidance.md

Lines changed: 68 additions & 69 deletions
Original file line numberDiff line numberDiff line change
@@ -14,81 +14,80 @@ The following table specifies whether additional considerations apply to a speci
1414
| Resource perimeter | My identities can access only trusted resources | Identity | SCP | N |
1515
| Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N |
1616
| Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N |
17-
| Network perimeter | My resources can be accesses only from expected networks | Resource | RCP | N |
17+
| Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N |
1818

1919
*Y – Additional considerations apply. N – No additional considerations apply.
2020

2121

2222

2323
**List of service APIs reviewed against data perimeter control objectives**
2424

25+
* CreateAnalyzer
26+
27+
* ListAnalyzers
28+
29+
* CreateAccessPreview
30+
31+
* CreateArchiveRule
32+
33+
* StartPolicyGeneration
34+
35+
* ListFindings
36+
37+
* ListFindingsV2
38+
39+
* StartResourceScan
40+
41+
* GenerateFindingRecommendation
42+
43+
* ApplyArchiveRule
44+
45+
* TagResource
46+
47+
* UpdateArchiveRule
48+
49+
* UpdateFindings
50+
51+
* ListAccessPreviewFindings
52+
53+
* ListAccessPreviews
54+
55+
* ListAnalyzedResources
56+
57+
* ListArchiveRules
58+
59+
* ListPolicyGenerations
60+
61+
* ListTagsForResource
62+
63+
* GetAccessPreview
64+
65+
* GetAnalyzedResource
66+
67+
* GetAnalyzer
68+
69+
* GetArchiveRule
70+
71+
* GetFinding
72+
73+
* GetFindingV2
74+
75+
* GetGeneratedPolicy
76+
77+
* UntagResource
78+
79+
* CancelPolicyGeneration
80+
81+
* CheckNoNewAccess
82+
83+
* ValidatePolicy
84+
85+
* CheckAccessNotGranted
86+
87+
* CheckNoPublicAccess
88+
89+
* DeleteArchiveRule
90+
91+
* DeleteAnalyzer
2592

26-
* CreateAnalyzer
27-
28-
* ListAnalyzers
29-
30-
* CreateAccessPreview
31-
32-
* CreateArchiveRule
33-
34-
* StartPolicyGeneration
35-
36-
* ListFindings
37-
38-
* ListFindingsV2
39-
40-
* StartResourceScan
41-
42-
* GenerateFindingRecommendation
43-
44-
* ApplyArchiveRule
45-
46-
* TagResource
47-
48-
* UpdateArchiveRule
49-
50-
* UpdateFindings
51-
52-
* ListAccessPreviewFindings
53-
54-
* ListAccessPreviews
55-
56-
* ListAnalyzedResources
57-
58-
* ListArchiveRules
59-
60-
* ListPolicyGenerations
61-
62-
* ListTagsForResource
63-
64-
* GetAccessPreview
65-
66-
* GetAnalyzedResource
67-
68-
* GetAnalyzer
69-
70-
* GetArchiveRule
71-
72-
* GetFinding
73-
74-
* GetFindingV2
75-
76-
* GetGeneratedPolicy
77-
78-
* UntagResource
79-
80-
* CancelPolicyGeneration
81-
82-
* CheckNoNewAccess
83-
84-
* ValidatePolicy
85-
86-
* CheckAccessNotGranted
87-
88-
* CheckNoPublicAccess
89-
90-
* DeleteArchiveRule
91-
92-
* DeleteAnalyzer
93-
9493

service_specific_guidance/acm-pca-specific-guidance.md

Lines changed: 42 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ The following table specifies whether additional considerations apply to a speci
1414
| Resource perimeter | My identities can access only trusted resources | Identity | SCP | Y |
1515
| Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | N |
1616
| Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N |
17-
| Network perimeter | My resources can be accesses only from expected networks | Resource | RCP | N |
17+
| Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N |
1818

1919
*Y – Additional considerations apply. N – No additional considerations apply.
2020

@@ -36,47 +36,46 @@ If you want to restrict access to trusted resources, consider implementing these
3636

3737
**List of service APIs reviewed against data perimeter control objectives**
3838

39+
* CreateCertificateAuthorityAuditReport
40+
41+
* CreateCertificateAuthority
42+
43+
* CreatePermission
44+
45+
* PutPolicy
46+
47+
* TagCertificateAuthority
48+
49+
* UpdateCertificateAuthority
50+
51+
* ListCertificateAuthorities
52+
53+
* ListPermissions
54+
55+
* ListTags
56+
57+
* GetCertificate
58+
59+
* GetCertificateAuthorityCertificate
60+
61+
* GetCertificateAuthorityCsr
62+
63+
* GetPolicy
64+
65+
* DescribeCertificateAuthority
66+
67+
* DescribeCertificateAuthorityAuditReport
68+
69+
* RestoreCertificateAuthority
70+
71+
* UntagCertificateAuthority
72+
73+
* IssueCertificate
74+
75+
* DeletePermission
76+
77+
* DeletePolicy
78+
79+
* DeleteCertificateAuthority
3980

40-
* CreateCertificateAuthorityAuditReport
41-
42-
* CreateCertificateAuthority
43-
44-
* CreatePermission
45-
46-
* PutPolicy
47-
48-
* TagCertificateAuthority
49-
50-
* UpdateCertificateAuthority
51-
52-
* ListCertificateAuthorities
53-
54-
* ListPermissions
55-
56-
* ListTags
57-
58-
* GetCertificate
59-
60-
* GetCertificateAuthorityCertificate
61-
62-
* GetCertificateAuthorityCsr
63-
64-
* GetPolicy
65-
66-
* DescribeCertificateAuthority
67-
68-
* DescribeCertificateAuthorityAuditReport
69-
70-
* RestoreCertificateAuthority
71-
72-
* UntagCertificateAuthority
73-
74-
* IssueCertificate
75-
76-
* DeletePermission
77-
78-
* DeletePolicy
79-
80-
* DeleteCertificateAuthority
81-
8281

service_specific_guidance/acm-specific-guidance.md

Lines changed: 28 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ The following table specifies whether additional considerations apply to a speci
1414
| Resource perimeter | My identities can access only trusted resources | Identity | SCP | N |
1515
| Resource perimeter | Only trusted resources can be accessed from my network | Network | VPC endpoint policy | Y |
1616
| Network perimeter | My identities can access resources only from expected networks | Identity | SCP | N |
17-
| Network perimeter | My resources can be accesses only from expected networks | Resource | RCP | N |
17+
| Network perimeter | My resources can be accessed only from expected networks | Resource | RCP | N |
1818

1919
*Y – Additional considerations apply. N – No additional considerations apply.
2020

@@ -39,33 +39,32 @@ If you want to restrict access to your networks to trusted identities and truste
3939

4040
**List of service APIs reviewed against data perimeter control objectives**
4141

42+
* ImportCertificate
43+
44+
* RequestCertificate
45+
46+
* ExportCertificate
47+
48+
* PutAccountConfiguration
49+
50+
* AddTagsToCertificate
51+
52+
* UpdateCertificateOptions
53+
54+
* ListCertificates
55+
56+
* ListTagsForCertificate
57+
58+
* GetAccountConfiguration
59+
60+
* GetCertificate
61+
62+
* DescribeCertificate
63+
64+
* RenewCertificate
65+
66+
* RemoveTagsFromCertificate
67+
68+
* DeleteCertificate
4269

43-
* ImportCertificate
44-
45-
* RequestCertificate
46-
47-
* ExportCertificate
48-
49-
* PutAccountConfiguration
50-
51-
* AddTagsToCertificate
52-
53-
* UpdateCertificateOptions
54-
55-
* ListCertificates
56-
57-
* ListTagsForCertificate
58-
59-
* GetAccountConfiguration
60-
61-
* GetCertificate
62-
63-
* DescribeCertificate
64-
65-
* RenewCertificate
66-
67-
* RemoveTagsFromCertificate
68-
69-
* DeleteCertificate
70-
7170

0 commit comments

Comments
 (0)