diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json b/reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json index e1fb1385d..e98c5da11 100644 --- a/reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json +++ b/reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json @@ -10,7 +10,7 @@ "aws-marketplace:DescribePrivate*", "aws-marketplace:DisassociateProducts*", "aws-marketplace:ListPrivate*", - "aws-marketplace:StartChangeSet" + "aws-marketplace:Start*" ], "Resource": "*" }, @@ -24,11 +24,11 @@ "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", - "aws-portal:*", "sts:GetSessionToken", "iam:DeleteVirtualMFADevice", "trustedadvisor:*", - "support:*" + "support:*", + "account:*" ], "Resource": "*", "Condition": { @@ -103,9 +103,7 @@ "Effect": "Deny", "Action": [ "organizations:LeaveOrg*", - "aws-portal:Modify*", - "aws-portal:ViewAccount", - "aws-portal:ViewPaymentMethods", + "organizations:CloseAccount", "ds:AcceptSharedDir*", "ds:ShareDir*", "ds:EnableSso", @@ -117,7 +115,15 @@ "lightsail:*", "gamelift:*", "appflow:*", - "iq:*" + "iq:*", + "account:P*", + "account:GetAl*", + "account:GetC*", + "account:GetR*", + "account:C*", + "account:D*", + "account:E*", + "account:L*" ], "Resource": "*", "Condition": { @@ -134,7 +140,6 @@ "access-analyzer:*", "aws-marketplace-management:*", "aws-marketplace:*", - "aws-portal:*", "budgets:*", "ce:*", "chime:*", @@ -173,7 +178,15 @@ "s3:DescribeMultiR*", "s3:GetMultiR*", "s3:ListMultiR*", - "s3:PutMultiR*" + "s3:PutMultiR*", + "billing:*", + "freetier:*", + "account:*", + "invoicing:*", + "payments:GetPaymentStatus", + "payments:ListPaymentPreferences", + "tax:ListTaxRegistrations", + "sustainability:*" ], "Resource": "*", "Condition": { diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json b/reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json index 6bcb976cf..2dbfcba6a 100644 --- a/reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json +++ b/reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json @@ -5,12 +5,12 @@ "Sid": "PMP", "Effect": "Deny", "Action": [ - "aws-marketplace:CreatePrivate*", - "aws-marketplace:AssociateProductsWithPrivate*", - "aws-marketplace:DescribePrivate*", - "aws-marketplace:DisassociateProducts*", - "aws-marketplace:ListPrivate*", - "aws-marketplace:StartChangeSet" + "aws-marketplace:As*", + "aws-marketplace:CreateP*", + "aws-marketplace:DescribePri*", + "aws-marketplace:Di*", + "aws-marketplace:ListP*", + "aws-marketplace:Start*" ], "Resource": "*" }, @@ -24,11 +24,11 @@ "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", - "aws-portal:*", "sts:GetSessionToken", "iam:DeleteVirtualMFADevice", "trustedadvisor:*", - "support:*" + "support:*", + "account:*" ], "Resource": "*", "Condition": { @@ -103,9 +103,7 @@ "Effect": "Deny", "Action": [ "organizations:LeaveOrg*", - "aws-portal:Modify*", - "aws-portal:ViewAccount", - "aws-portal:ViewPaymentMethods", + "organizations:CloseAccount", "ds:AcceptSharedDir*", "ds:ShareDir*", "ds:EnableSso", @@ -117,7 +115,15 @@ "lightsail:*", "gamelift:*", "appflow:*", - "iq:*" + "iq:*", + "account:P*", + "account:GetAl*", + "account:GetC*", + "account:GetR*", + "account:C*", + "account:D*", + "account:E*", + "account:L*" ], "Resource": "*", "Condition": { @@ -217,7 +223,6 @@ "access-analyzer:*", "aws-marketplace-management:*", "aws-marketplace:*", - "aws-portal:*", "budgets:*", "ce:*", "chime:*", @@ -258,9 +263,17 @@ "s3:GetMultiR*", "s3:ListMultiR*", "s3:PutMultiR*", - "sso:DescribeRegisteredRegions", "sns:Publish", - "tag:GetResources" + "tag:GetResources", + "sso:DescribeRegisteredRegions", + "billing:*", + "freetier:*", + "account:*", + "invoicing:*", + "payments:GetPaymentStatus", + "payments:ListPaymentPreferences", + "tax:ListTaxRegistrations", + "sustainability:*" ], "Resource": "*", "Condition": { diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json b/reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json index 0de09fc88..42239faac 100644 --- a/reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json +++ b/reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json @@ -10,7 +10,7 @@ "aws-marketplace:DescribePrivate*", "aws-marketplace:DisassociateProducts*", "aws-marketplace:ListPrivate*", - "aws-marketplace:StartChangeSet" + "aws-marketplace:Start*" ], "Resource": "*" }, @@ -24,11 +24,11 @@ "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", - "aws-portal:*", "sts:GetSessionToken", "iam:DeleteVirtualMFADevice", "trustedadvisor:*", - "support:*" + "support:*", + "account:*" ], "Resource": "*", "Condition": { @@ -103,9 +103,7 @@ "Effect": "Deny", "Action": [ "organizations:LeaveOrg*", - "aws-portal:Modify*", - "aws-portal:ViewAccount", - "aws-portal:ViewPaymentMethods", + "organizations:CloseAccount", "ds:AcceptSharedDir*", "ds:ShareDir*", "ds:EnableSso", @@ -114,10 +112,18 @@ "ram:AssociateResourceShare", "ram:CreateResourceShare", "ram:EnableSharingWithAwsOrg*", - "lightsail:*", + "lightsail:*", "gamelift:*", "appflow:*", - "iq:*" + "iq:*", + "account:P*", + "account:GetAl*", + "account:GetC*", + "account:GetR*", + "account:C*", + "account:D*", + "account:E*", + "account:L*" ], "Resource": "*", "Condition": { @@ -198,7 +204,6 @@ "access-analyzer:*", "aws-marketplace-management:*", "aws-marketplace:*", - "aws-portal:*", "budgets:*", "ce:*", "chime:*", @@ -237,7 +242,15 @@ "s3:DescribeMultiR*", "s3:GetMultiR*", "s3:ListMultiR*", - "s3:PutMultiR*" + "s3:PutMultiR*", + "billing:*", + "freetier:*", + "account:*", + "invoicing:*", + "payments:GetPaymentStatus", + "payments:ListPaymentPreferences", + "tax:ListTaxRegistrations", + "sustainability:*" ], "Resource": "*", "Condition": {