You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: service_control_policies/README.md
+13-2Lines changed: 13 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,14 +36,15 @@ This policy statement is included in the [resource_perimeter_policy](resource_pe
36
36
37
37
* Resources that belong to your Organizations organization specified by the organization ID (`<my-org-id>`) in the policy statement.
38
38
* Resources owned by AWS services. To permit access to AWS owned resources through the resource perimeter, two methods are used:
39
-
* Relevant service actions are listed in the `NotAction` element of the policy. Actions on resources that allow cross-account access are further restricted in other statements of the policy (`"Sid":"EnforceResourcePerimeterAWSResourcesS3"`, `"Sid":"EnforceResourcePerimeterAWSResourcesSSM"`, `"Sid":"EnforceResourcePerimeterAWSResourcesEC2ImageBuilder"`, `"EnforceResourcePerimeterAWSResourcesECR"`,,`"EnforceResourcePerimeterAWSResourcesLambdaLayer"`).
39
+
* Relevant service actions are listed in the `NotAction` element of the policy. Actions on resources that allow cross-account access are further restricted in other statements of the policy (`"Sid":"EnforceResourcePerimeterAWSResourcesS3"`, `"Sid":"EnforceResourcePerimeterAWSResourcesSSM"`, `"Sid":"EnforceResourcePerimeterAWSResourcesEC2ImageBuilder"`, `"EnforceResourcePerimeterAWSResourcesECR"`, `"EnforceResourcePerimeterAWSResourcesLambdaLayer"`,`"EnforceResourcePerimeterAWSResourcesEC2PrefixList"`).
40
40
* `iam:GetPolicy`, `iam:GetPolicyVersion`, `iam:ListEntitiesForPolicy`, `iam:ListPolicyVersions`, `iam:GenerateServiceLastAccessedDetails` - Required for AWS managed policies. AWS managed policies are owned by an AWS service account.
41
41
* `cloudformation:CreateChangeSet` - Required for using the [transforms hosted by AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html) in your CloudFormation templates.
42
42
* `s3:GetObject`,`s3:GetObjectVersion`, `s3:PutObject`, `s3:PutObjectAcl`, `s3:ListBucket` - Required for importing and storing assets in Amazon S3 buckets, like Service Catalog CloudFormation templates, [AWS Data Exchange assets](https://docs.aws.amazon.com/data-exchange/latest/userguide/access-control.html#:~:text=Amazon%20S3%20permissions), [AWS Glue Studio transformations](https://docs.aws.amazon.com/glue/latest/dg/getting-started-min-privs-job.html#getting-started-min-privs-data), [AWS Elastic Beanstalk configuration files](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-vpce.policy.html#AWSHowTo.S3.VPCendpoints.required-permissions.assets), [Amazon CloudWatch Synthetic monitoring canaries](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html), [Amazon SageMaker JumpStart models](https://docs.aws.amazon.com/sagemaker/latest/dg/jumpstart-deploy.html#jumpstart-config-security), [Amazon Neptune configuration scripts](https://docs.aws.amazon.com/neptune/latest/userguide/graph-notebooks.html#graph-notebooks-workbench).
43
-
* `ssm:Describe*`, `ssm:List*`, `ssm:Get*`, `ssm:SendCommand`, `ssm:CreateAssociation`, `ssm:StartSession`, `ssm:StartChangeRequestExecution`, `ssm:StartAutomationExecution` - Required for [AWS Systems Manager](https://aws.amazon.com/systems-manager/) global parameters, documents and automation runbooks. Some AWS services publish information about common artifacts as Systems Manager public parameters. For example, Amazon EC2 publishes information about Amazon Machine Images (AMIs) as public parameters. AWS automation or custom applications may need to access Systems Manager public documents also to support their operations. The AWS Systems Manager automation runbooks, such as AWS-ConfigureMaintenanceWindows, may be needed to configure maintenance windows in AWS Systems Manager.
43
+
* `ssm:Describe*`, `ssm:List*`, `ssm:Get*`, `ssm:SendCommand`, `ssm:CreateAssociation`, `ssm:StartSession`, `ssm:StartChangeRequestExecution`, `ssm:StartAutomationExecution` - Required for [AWS Systems Manager](https://aws.amazon.com/systems-manager/) global parameters, documents and automation runbooks. Some AWS services publish information about common artifacts as Systems Manager public parameters. For example, [Amazon EC2](https://aws.amazon.com/ec2/) publishes information about Amazon Machine Images (AMIs) as public parameters. AWS automation or custom applications may need to access Systems Manager public documents also to support their operations. The AWS Systems Manager automation runbooks, such as AWS-ConfigureMaintenanceWindows, may be needed to configure maintenance windows in AWS Systems Manager.
44
44
* `imagebuilder:GetComponent`,`imagebuilder:GetImage` - Required for [EC2 Image Builder](https://aws.amazon.com/image-builder/)[managed components and images](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#sec-iam-ib-id-based-policies-resources).
45
45
* `ecr:GetDownloadUrlForLayer`, `ecr:BatchGetImage` - Required for [Amazon Elastic Kubernetes Service (Amazon EKS) add-ons](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html), [GuardDuty EKS Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html), and [Amazon SageMaker pre-built Docker images](https://docs.aws.amazon.com/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.html).
46
46
* `lambda:GetLayerVersion` - Required for CloudWatch Lambda Insights extension and [AWS AppConfig](https://aws.amazon.com/systems-manager/features/appconfig/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc&blog-posts-cards.sort-by=item.additionalFields.createdDate&blog-posts-cards.sort-order=desc) Agent Lambda extension.
47
+
* `ec2:CreateTags`, `ec2:DeleteTags`, `ec2:GetManagedPrefixListEntries` - Required for [AWS-managed prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html).
47
48
*`ec2:Owner` condition key:
48
49
* Key value set to `amazon` - Required for your users and applications to be able to perform operations against public images that are owned by [Amazon](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-runinstances-ami) or a [verified partner](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharing-amis.html#verified-ami-provider) (for example, copying or launching instances using these images).
49
50
* Trusted resources that belong to an account outside of your Organizations organization. To permit access to a resource owned by an external account through the resource perimeter, relevant service actions have to be listed in the `NotAction` element of this statement (`<action>`). These actions are further restricted in the `"Sid":"EnforceResourcePerimeterThirdPartyResources"`.
@@ -110,6 +111,14 @@ This policy statement is included in [resource_perimeter_policy](resource_perime
110
111
* Lambda layers owned by [CloudWatch](https://aws.amazon.com/cloudwatch/) for [CloudWatch Lambda Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights.html). These layers are accessed by the IAM principal used to configure your Lambda function. To account for this access pattern, the `lambda:GetLayerVersion` is first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesLambdaLayer"` then uses the `aws:ResourceAccount` condition key to restrict these actions to Lambda layers owned by the AWS service accounts. `<lambdalayer-account-id>` can vary by AWS Region, and you might need to allow multiple account IDs if you are operating in multiple Regions. For a complete list of CloudWatch managed AWS accounts that host Lambda layers, see the [CloudWatch Lambda Insights documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html).
111
112
* Lambda layers owned by [AWS AppConfig](https://aws.amazon.com/systems-manager/features/appconfig/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc&blog-posts-cards.sort-by=item.additionalFields.createdDate&blog-posts-cards.sort-order=desc) for [AWS AppConfig Agent Lambda extension](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions.html). These layers are accessed by the IAM principal used to configure your Lambda function. To account for this access pattern, the `lambda:GetLayerVersion` is first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesLambdaLayer"` then uses the `aws:ResourceAccount` condition key to restrict these actions to Lambda layers owned by the AWS service accounts. `<lambdalayer-account-id>` can vary by AWS Region, and you might need to allow multiple account IDs if you are operating in multiple Regions. For a complete list of AWS AppConfig managed AWS accounts that host Lambda layers, see the [AWS AppConfig Agent Lambda extension](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions-versions.html).
This policy statement is included in the [resource_perimeter_policy](resource_perimeter_policy.json) and limits access to trusted EC2 prefix lists:
117
+
118
+
* EC2 managed prefix lists that belong to your Organizations organization specified by the organization ID (`<my-org-id>`) in the policy statement.
119
+
*[AWS-managed prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) that might be accessed by your identities using your IAM credentials. To account for this access pattern, the `ec2:CreateTags`, `ec2:DeleteTags`, `ec2:GetManagedPrefixListEntries` are first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesEC2PrefixList"` then uses the `aws:PrincipalTag` condition key with `dp:exclude:resource:ec2` tag set to `true` to restrict access to these actions to IAM principals tagged for access to AWS-managed prefix list resources that do not belong to your organization.
This policy statement is included in the [resource_perimeter_policy](resource_perimeter_policy.json) and limits access to trusted resources that include third party resources:
@@ -186,6 +195,8 @@ Example data access patterns:
186
195
*[AWS Fault Injection experiment template](https://docs.aws.amazon.com/fis/latest/userguide/multi-account.html): You create a multi-account experiment template by specifying other accounts with the `CreateTargetAccountConfiguration` API.
187
196
*[AWS Global Accelerator attachment](https://docs.aws.amazon.com/global-accelerator/latest/dg/cross-account-resources.create-attachment.html): You can add a resource from another account as an endpoint for an accelerator with the `CreateCrossAccountAttachment` API.
188
197
*[AWS Cloud9 shared environment](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html): You can share AWS Cloud9 development environment with users from other accounts with the `CreateEnvironmentMembership` API.
198
+
*[Amazon Connect dataset](https://docs.aws.amazon.com/connect/latest/APIReference/API_BatchAssociateAnalyticsDataSet.html#connect-BatchAssociateAnalyticsDataSet-request-DataSetIds): You can associate a list of Amazon Connect instance analytics datasets to a target account using `BatchAssociateAnalyticsDataSet` API.
199
+
*[Amazon Redshift Serverless snapshot](https://docs.aws.amazon.com/redshift-serverless/latest/APIReference/API_PutResourcePolicy.html): You can share snapshots across AWS accounts using `PutResourcePolicy` API.
Copy file name to clipboardExpand all lines: vpc_endpoint_policies/README.md
+11-1Lines changed: 11 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -205,7 +205,11 @@ Example data access patterns:
205
205
*[AWS owned repositories for Amazon SageMaker pre-built Docker container images](https://docs.aws.amazon.com/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.html):
206
206
* In the policy example, replace `<ecr-account-id>` with the 12-digit account ID of the AWS account that hosts the private registry. These are the first 12 digits of the respective registry from the table on the [Amazon SageMaker Documentation](https://docs.aws.amazon.com/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.html). Note the 12-digit account ID may be different for each AWS region, and there is a seperate page for each AWS region.
207
207
208
-
**Amazon Elastic Compute Cloud (Amazon EC2).* You can use [Amazon owned AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-runinstances-ami) to launch instances. `ec2:Owner` condition key value set to `amazon` is required for your users and applications to launch instances from all AMIs owned by Amazon, or certain trusted and verified partners. Additionally, access to Amazon owned AMIs is necessary to replace the EBS-backed root volume of the instance with a new one.
208
+
**Amazon Elastic Compute Cloud (Amazon EC2).*[Amazon owned AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) are images that provide the software that is required to set up and boot an Amazon EC2 instance.Your EC2 VPC endpoint policy must allow your principals to access the EC2 images to be able to launch instances and replace the EBS-backed root volume of the instance with a new one.
**AWS CloudFormation transforms.* You can use [AWS CloudFormation transforms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) to process templates through a special macro that can modify or extend the functionality of a CloudFormation template before it is deployed. If you are using [CloudFormation transforms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html) in CloudFormation templates that are deployed through your AWS networks, the CloudFormation VPC endpoint policy must allow your principals to access the transforms.
211
215
@@ -248,6 +252,12 @@ Example data access patterns:
248
252
* `arn:aws:s3:::aws-neptune-notebook-<region>`
249
253
* `arn:aws:s3:::aws-neptune-notebook-<region>/*`
250
254
255
+
**AWS-managed prefix lists.* AWS-managed EC2 prefix lists are sets of IP ranges for AWS services, maintained by AWS. They simplify referencing service IPs when configuring security groups and other VPC network controls. The API call to AWS-managed prefixes might pass through the EC2 VPC endpoint and is made by your principals.
This policy statement allows trusted identities outside of your Organizations organization to send requests to trusted resources owned by an account that does not belong to your organization. List ARNs of resources in the `Resource` element of the statement. Further restrict access by specifying allowed actions in the `Action` element of the statement. An example valid use case is a third party integration that requires you to allow your applications to upload or download objects from a third party S3 bucket by using third party generated presigned Amazon S3 URLs. In this case, the principal that generates the presigned URL will belong to the third party AWS account.
0 commit comments