update Sensitive SCP to include ClientVPN (#725)

rjjaegeraws · Brian969 · web-flow · commit 6c37079c4eda · 2021-05-01T10:43:54.000-04:00
* update Sensitive SCP to include ClientVPN
* block additional clientvpn action

Co-authored-by: Brian969 &lt;56414362+Brian969@users.noreply.github.com&gt;
diff --git a/reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json b/reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json
@@ -6,8 +6,11 @@
       "Effect": "Deny",
       "Action": [
         "ec2:AcceptVpcPeeringConnection",
+        "ec2:AssociateClientVpnTargetNetwork",
+        "ec2:AuthorizeClientVpnIngress",
         "ec2:AttachEgressOnlyInternetGateway",
         "ec2:AttachInternetGateway",
+        "ec2:CreateClientVpnEndpoint",
         "ec2:CreateEgressOnlyInternetGateway",
         "ec2:CreateInternetGateway",
         "ec2:CreateNatGateway",
@@ -18,6 +21,7 @@
         "ec2:CreateVpc",
         "ec2:CreateVpcEndpoint",
         "ec2:CreateVpcPeeringConnection",
+        "ec2:DeleteClientVpnEndpoint",
         "ec2:DeleteNatGateway",
         "ec2:DeleteTransitGatewayRoute",
         "ec2:DeleteTransitGatewayRouteTable",
@@ -38,8 +42,10 @@
         "ec2:DisassociateRouteTable",
         "ec2:AllocateAddress",
         "ec2:AssociateAddress",
+        "ec2:ModifyClientVpnEndpoint",
         "ec2:ModifyImageAttribute",
         "ec2:ModifySnapshotAttribute",
+        "ec2:RevokeClientVpnIngress",
         "rds:ModifyDBSnapshotAttribute",
         "rds:ModifyDBClusterSnapshotAttribute",
         "globalaccelerator:Create*",
