scp updates (#1167)

Author: rjjaegeraws

reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json

@@ -10,7 +10,7 @@
         "aws-marketplace:DescribePrivate*",
         "aws-marketplace:DisassociateProducts*",
         "aws-marketplace:ListPrivate*",
-        "aws-marketplace:StartChangeSet"
+        "aws-marketplace:Start*"
       ],
       "Resource": "*"
     },
@@ -24,11 +24,11 @@
         "iam:ListMFADevices",
         "iam:ListVirtualMFADevices",
         "iam:ResyncMFADevice",
-        "aws-portal:*",
         "sts:GetSessionToken",
         "iam:DeleteVirtualMFADevice",
         "trustedadvisor:*",
-        "support:*"
+        "support:*",
+        "account:*"
       ],
       "Resource": "*",
       "Condition": {
@@ -103,9 +103,7 @@
       "Effect": "Deny",
       "Action": [
         "organizations:LeaveOrg*",
-        "aws-portal:Modify*",
-        "aws-portal:ViewAccount",
-        "aws-portal:ViewPaymentMethods",
+        "organizations:CloseAccount",
         "ds:AcceptSharedDir*",
         "ds:ShareDir*",
         "ds:EnableSso",
@@ -117,7 +115,15 @@
         "lightsail:*",
         "gamelift:*",
         "appflow:*",
-        "iq:*"
+        "iq:*",
+        "account:P*",
+        "account:GetAl*",
+        "account:GetC*",
+        "account:GetR*",
+        "account:C*",
+        "account:D*",
+        "account:E*",
+        "account:L*"
       ],
       "Resource": "*",
       "Condition": {
@@ -134,7 +140,6 @@
         "access-analyzer:*",
         "aws-marketplace-management:*",
         "aws-marketplace:*",
-        "aws-portal:*",
         "budgets:*",
         "ce:*",
         "chime:*",
@@ -173,7 +178,15 @@
         "s3:DescribeMultiR*",
         "s3:GetMultiR*",
         "s3:ListMultiR*",
-        "s3:PutMultiR*"
+        "s3:PutMultiR*",
+        "billing:*",
+        "freetier:*",
+        "account:*",
+        "invoicing:*",
+        "payments:GetPaymentStatus",
+        "payments:ListPaymentPreferences",
+        "tax:ListTaxRegistrations",
+        "sustainability:*"
       ],
       "Resource": "*",
       "Condition": {

reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json

@@ -5,12 +5,12 @@
       "Sid": "PMP",
       "Effect": "Deny",
       "Action": [
-        "aws-marketplace:CreatePrivate*",
-        "aws-marketplace:AssociateProductsWithPrivate*",
-        "aws-marketplace:DescribePrivate*",
-        "aws-marketplace:DisassociateProducts*",
-        "aws-marketplace:ListPrivate*",
-        "aws-marketplace:StartChangeSet"
+        "aws-marketplace:As*",
+        "aws-marketplace:CreateP*",
+        "aws-marketplace:DescribePri*",
+        "aws-marketplace:Di*",
+        "aws-marketplace:ListP*",
+        "aws-marketplace:Start*"
       ],
       "Resource": "*"
     },
@@ -24,11 +24,11 @@
         "iam:ListMFADevices",
         "iam:ListVirtualMFADevices",
         "iam:ResyncMFADevice",
-        "aws-portal:*",
         "sts:GetSessionToken",
         "iam:DeleteVirtualMFADevice",
         "trustedadvisor:*",
-        "support:*"
+        "support:*",
+        "account:*"
       ],
       "Resource": "*",
       "Condition": {
@@ -103,9 +103,7 @@
       "Effect": "Deny",
       "Action": [
         "organizations:LeaveOrg*",
-        "aws-portal:Modify*",
-        "aws-portal:ViewAccount",
-        "aws-portal:ViewPaymentMethods",
+        "organizations:CloseAccount",
         "ds:AcceptSharedDir*",
         "ds:ShareDir*",
         "ds:EnableSso",
@@ -117,7 +115,15 @@
         "lightsail:*",
         "gamelift:*",
         "appflow:*",
-        "iq:*"
+        "iq:*",
+        "account:P*",
+        "account:GetAl*",
+        "account:GetC*",
+        "account:GetR*",
+        "account:C*",
+        "account:D*",
+        "account:E*",
+        "account:L*"
       ],
       "Resource": "*",
       "Condition": {
@@ -217,7 +223,6 @@
         "access-analyzer:*",
         "aws-marketplace-management:*",
         "aws-marketplace:*",
-        "aws-portal:*",
         "budgets:*",
         "ce:*",
         "chime:*",
@@ -258,9 +263,17 @@
         "s3:GetMultiR*",
         "s3:ListMultiR*",
         "s3:PutMultiR*",
-        "sso:DescribeRegisteredRegions",
         "sns:Publish",
-        "tag:GetResources"
+        "tag:GetResources",
+        "sso:DescribeRegisteredRegions",
+        "billing:*",
+        "freetier:*",
+        "account:*",
+        "invoicing:*",
+        "payments:GetPaymentStatus",
+        "payments:ListPaymentPreferences",
+        "tax:ListTaxRegistrations",
+        "sustainability:*"
       ],
       "Resource": "*",
       "Condition": {

reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json

@@ -10,7 +10,7 @@
         "aws-marketplace:DescribePrivate*",
         "aws-marketplace:DisassociateProducts*",
         "aws-marketplace:ListPrivate*",
-        "aws-marketplace:StartChangeSet"
+        "aws-marketplace:Start*"
       ],
       "Resource": "*"
     },
@@ -24,11 +24,11 @@
         "iam:ListMFADevices",
         "iam:ListVirtualMFADevices",
         "iam:ResyncMFADevice",
-        "aws-portal:*",
         "sts:GetSessionToken",
         "iam:DeleteVirtualMFADevice",
         "trustedadvisor:*",
-        "support:*"
+        "support:*",
+        "account:*"
       ],
       "Resource": "*",
       "Condition": {
@@ -103,9 +103,7 @@
       "Effect": "Deny",
       "Action": [
         "organizations:LeaveOrg*",
-        "aws-portal:Modify*",
-        "aws-portal:ViewAccount",
-        "aws-portal:ViewPaymentMethods",
+        "organizations:CloseAccount",
         "ds:AcceptSharedDir*",
         "ds:ShareDir*",
         "ds:EnableSso",
@@ -114,10 +112,18 @@
         "ram:AssociateResourceShare",
         "ram:CreateResourceShare",
         "ram:EnableSharingWithAwsOrg*",
-        "lightsail:*",        
+        "lightsail:*",
         "gamelift:*",
         "appflow:*",
-        "iq:*"
+        "iq:*",
+        "account:P*",
+        "account:GetAl*",
+        "account:GetC*",
+        "account:GetR*",
+        "account:C*",
+        "account:D*",
+        "account:E*",
+        "account:L*"
       ],
       "Resource": "*",
       "Condition": {
@@ -198,7 +204,6 @@
         "access-analyzer:*",
         "aws-marketplace-management:*",
         "aws-marketplace:*",
-        "aws-portal:*",
         "budgets:*",
         "ce:*",
         "chime:*",
@@ -237,7 +242,15 @@
         "s3:DescribeMultiR*",
         "s3:GetMultiR*",
         "s3:ListMultiR*",
-        "s3:PutMultiR*"
+        "s3:PutMultiR*",
+        "billing:*",
+        "freetier:*",
+        "account:*",
+        "invoicing:*",
+        "payments:GetPaymentStatus",
+        "payments:ListPaymentPreferences",
+        "tax:ListTaxRegistrations",
+        "sustainability:*"
       ],
       "Resource": "*",
       "Condition": {