AWS prescriptive-guidance documentation change
Summary
Added SCP example restricting VPC modification actions
Security assessment
New service control policy example helps prevent unauthorized network configuration changes
Diff
diff --git a/prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md b/prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md index 0271f43b2..00bc4ff0c 100644 --- a//prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md +++ b//prescriptive-guidance/latest/privacy-reference-architecture/restrict-changes-vpc-configurations.md @@ -12,0 +13,36 @@ After you have designed and deployed the AWS infrastructure that supports your c + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:AttachInternetGateway", + "ec2:CreateInternetGateway", + "ec2:AttachEgressOnlyInternetGateway", + "ec2:CreateVpcPeeringConnection", + "ec2:AcceptVpcPeeringConnection", + "ec2:CreateVpc", + "ec2:CreateSubnet", + "ec2:CreateRouteTable", + "ec2:CreateRoute", + "ec2:AssociateRouteTable", + "ec2:ModifyVpcAttribute", + "ec2:*TransitGateway", + "ec2:*TransitGateway*", + "globalaccelerator:Create*", + "globalaccelerator:Update*" + + ], + "Resource": "*", + "Effect": "Deny", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP", + "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP" + ] + } + } + } + ] + } +