From 5c3df88ab520cda158fc6d7c6b3104888a619d97 Mon Sep 17 00:00:00 2001
From: Andy Price <sixdaysandy@gmail.com>
Date: Tue, 7 Nov 2023 11:22:59 +0000
Subject: [PATCH] SP-1078 - Allow S3 Multi Region Endpoint Control Plane
 Requests to us-west-2 #minor

---
 .../organizations-policy-service-control.tf          | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/management-account/terraform/organizations-policy-service-control.tf b/management-account/terraform/organizations-policy-service-control.tf
index 2108a4b6..6873954e 100644
--- a/management-account/terraform/organizations-policy-service-control.tf
+++ b/management-account/terraform/organizations-policy-service-control.tf
@@ -167,7 +167,7 @@ data "aws_iam_policy_document" "deny_non_eu_non_us_east_1_operations" {
     }
   }
 
-  # Deny anything apart from Network Manager in us-west-2
+  # Deny anything apart from Network Manager and S3 Global Endpoint Management Operations in us-west-2
   statement {
     effect = "Deny"
     not_actions = [
@@ -175,6 +175,16 @@ data "aws_iam_policy_document" "deny_non_eu_non_us_east_1_operations" {
       "cloudwatch:List*",     # To view the Network Manager log group
       "cloudwatch:Get*",      # To view the Network Manager log group
       "cloudwatch:Describe*", # To view the Network Manager log group
+      "s3:CreateMultiRegionAccessPoint",
+      "s3:DeleteMultiRegionAccessPoint",
+      "s3:DescribeMultiRegionAccessPointOperation",
+      "s3:GetMultiRegionAccessPoint",
+      "s3:GetMultiRegionAccessPointPolicy",
+      "s3:GetMultiRegionAccessPointPolicyStatus",
+      "s3:GetMultiRegionAccessPointRoutes",
+      "s3:ListMultiRegionAccessPoints",
+      "s3:PutMultiRegionAccessPointPolicy",
+      "s3:SubmitMultiRegionAccessPointRoutes"
     ]
     resources = ["*"]