Scppatches (#1155)

archikierstead · web-flow · commit 141d854596aa · 2023-06-08T10:02:03.000-04:00
* Incorporated SCP changes from closed PRs

* Added SCP changes re private marketplace
diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Part0-CoreOUs.json b/reference-artifacts/SCPs/ASEA-Guardrails-Part0-CoreOUs.json
@@ -78,10 +78,13 @@
         "kms:PutKeyPolicy",
         "kms:ScheduleKeyDeletion"
       ],
-      "Resource": "arn:aws:kms:::alias/${ACCELERATOR_PREFIX_ND}*",
+      "Resource": "*",
       "Condition": {
         "ArnNotLike": {
           "aws:PrincipalARN": ["arn:aws:iam::*:role/${ACCELERATOR_PREFIX}*"]
+        },
+        "ForAnyValue:StringLike": {
+          "kms:ResourceAliases": "alias/${ACCELERATOR_PREFIX_ND}*"
         }
       }
     },
diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Part0-WkldOUs.json b/reference-artifacts/SCPs/ASEA-Guardrails-Part0-WkldOUs.json
@@ -78,13 +78,17 @@
         "kms:PutKeyPolicy",
         "kms:ScheduleKeyDeletion"
       ],
-      "Resource": "arn:aws:kms:::alias/${ACCELERATOR_PREFIX_ND}*",
+      "Resource": "*",
       "Condition": {
         "ArnNotLike": {
           "aws:PrincipalARN": ["arn:aws:iam::*:role/${ACCELERATOR_PREFIX}*"]
+        },
+        "ForAnyValue:StringLike": {
+          "kms:ResourceAliases": "alias/${ACCELERATOR_PREFIX_ND}*"
         }
       }
     },
+
     {
       "Sid": "IAM",
       "Effect": "Deny",
diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json b/reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json
@@ -9,7 +9,8 @@
         "aws-marketplace:AssociateProductsWithPrivate*",
         "aws-marketplace:DescribePrivate*",
         "aws-marketplace:DisassociateProducts*",
-        "aws-marketplace:ListPrivate*"
+        "aws-marketplace:ListPrivate*",
+        "aws-marketplace:StartChangeSet"
       ],
       "Resource": "*"
     },
diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json b/reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json
@@ -9,7 +9,8 @@
         "aws-marketplace:AssociateProductsWithPrivate*",
         "aws-marketplace:DescribePrivate*",
         "aws-marketplace:DisassociateProducts*",
-        "aws-marketplace:ListPrivate*"
+        "aws-marketplace:ListPrivate*",
+        "aws-marketplace:StartChangeSet"
       ],
       "Resource": "*"
     },
@@ -257,6 +258,7 @@
         "s3:GetMultiR*",
         "s3:ListMultiR*",
         "s3:PutMultiR*",
+        "sso:DescribeRegisteredRegions",
         "sns:Publish",
         "tag:GetResources"
       ],
diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json b/reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json
@@ -9,7 +9,8 @@
         "aws-marketplace:AssociateProductsWithPrivate*",
         "aws-marketplace:DescribePrivate*",
         "aws-marketplace:DisassociateProducts*",
-        "aws-marketplace:ListPrivate*"
+        "aws-marketplace:ListPrivate*",
+        "aws-marketplace:StartChangeSet"
       ],
       "Resource": "*"
     },

Original file line number	Diff line number	Diff line change
`@@ -78,13 +78,17 @@`
`78`	`78`	`"kms:PutKeyPolicy",`
`79`	`79`	`"kms:ScheduleKeyDeletion"`
`80`	`80`	`],`
`81`		`- "Resource": "arn:aws:kms:::alias/${ACCELERATOR_PREFIX_ND}*",`
	`81`	`+ "Resource": "*",`
`82`	`82`	`"Condition": {`
`83`	`83`	`"ArnNotLike": {`
`84`	`84`	`"aws:PrincipalARN": ["arn:aws:iam:::role/${ACCELERATOR_PREFIX}"]`
	`85`	`+ },`
	`86`	`+ "ForAnyValue:StringLike": {`
	`87`	`+ "kms:ResourceAliases": "alias/${ACCELERATOR_PREFIX_ND}*"`
`85`	`88`	`}`
`86`	`89`	`}`
`87`	`90`	`},`
	`91`	`+`
`88`	`92`	`{`
`89`	`93`	`"Sid": "IAM",`
`90`	`94`	`"Effect": "Deny",`