Skip to content

Commit

Permalink
fix: add default principal to region deny SCP (#199)
Browse files Browse the repository at this point in the history
  • Loading branch information
@marwinbaumannsbp
marwinbaumannsbp authored Feb 2, 2024
1 parent 4c039ab commit 5f25d4f
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 3 deletions.
2 changes: 2 additions & 0 deletions locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ locals {
VpcChange = "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}"
} : {}

aws_service_control_policies_principal_exceptions = distinct(concat(var.aws_service_control_policies.principal_exceptions, ["arn:aws:iam::*:role/AWSControlTowerExecution"]))

security_hub_standards_arns_default = [
"arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0",
Expand Down
6 changes: 3 additions & 3 deletions organizations_policy.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ locals {
enable = var.aws_service_control_policies.allowed_regions != null ? true : false
policy = var.aws_service_control_policies.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", {
allowed = var.aws_service_control_policies.allowed_regions != null ? var.aws_service_control_policies.allowed_regions : []
exceptions = var.aws_service_control_policies.principal_exceptions != null ? var.aws_service_control_policies.principal_exceptions : []
exceptions = local.aws_service_control_policies_principal_exceptions
}) : null
}
cloudtrail_log_stream = {
Expand All @@ -14,13 +14,13 @@ locals {
deny_disabling_security_hub = {
enable = var.aws_service_control_policies.aws_deny_disabling_security_hub
policy = var.aws_service_control_policies.aws_deny_disabling_security_hub != false ? templatefile("${path.module}/files/organizations/deny_disabling_security_hub.json.tpl", {
exceptions = var.aws_service_control_policies.principal_exceptions != null ? var.aws_service_control_policies.principal_exceptions : []
exceptions = local.aws_service_control_policies_principal_exceptions
}) : null
}
deny_leaving_org = {
enable = var.aws_service_control_policies.aws_deny_leaving_org
policy = var.aws_service_control_policies.aws_deny_leaving_org != false ? templatefile("${path.module}/files/organizations/deny_leaving_org.json.tpl", {
exceptions = var.aws_service_control_policies.principal_exceptions != null ? var.aws_service_control_policies.principal_exceptions : []
exceptions = local.aws_service_control_policies_principal_exceptions
}) : null
}
// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-instance-metadata-requireIMDSv2
Expand Down

0 comments on commit 5f25d4f

Please sign in to comment.