feat(core): Update SCPs for Standalone Version (#353)

* Update SCPs for Standalone Version

* typo

Author: Brian969

reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json

@@ -60,6 +60,7 @@
         "s3:PutEncryptionConfiguration",
         "s3:PutLifecycleConfiguration",
         "s3:PutReplicationConfiguration",
+        "s3:PutBucketLogging",
         "s3:PutBucketPolicy",
         "s3:ReplicateDelete",
         "s3:PutObjectRetention",
@@ -76,7 +77,7 @@
       }
     },
     {
-      "Sid": "ProtectCloudFormation",
+      "Sid": "DenyCFN",
       "Effect": "Deny",
       "Action": ["cloudformation:*"],
       "Resource": [
@@ -94,7 +95,7 @@
       }
     },
     {
-      "Sid": "DenyAlarmDeletion",
+      "Sid": "DenyAlarms",
       "Effect": "Deny",
       "Action": [
         "cloudwatch:DeleteAlarms",
@@ -120,7 +121,7 @@
       }
     },
     {
-      "Sid": "ProtectKeyRoles",
+      "Sid": "DenyKeyRoles",
       "Effect": "Deny",
       "Action": ["iam:*"],
       "Resource": [
@@ -194,7 +195,7 @@
       "Resource": "*"
     },
     {
-      "Sid": "DenyLambdaDel",
+      "Sid": "DenyLambda",
       "Effect": "Deny",
       "Action": [
         "lambda:AddPermission",
@@ -223,7 +224,7 @@
       }
     },
     {
-      "Sid": "BlockOther",
+      "Sid": "DenyOther",
       "Effect": "Deny",
       "Action": [
         "aws-portal:ModifyAccount",

reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json

@@ -24,13 +24,13 @@
       "Sid": "DenyRoot",
       "Effect": "Deny",
       "NotAction": [
-         "iam:CreateVirtualMFADevice",
-         "iam:EnableMFADevice",
-         "iam:GetUser",
-         "iam:ListMFADevices",
-         "iam:ListVirtualMFADevices",
-         "iam:ResyncMFADevice",
-         "sts:GetSessionToken"
+        "iam:CreateVirtualMFADevice",
+        "iam:EnableMFADevice",
+        "iam:GetUser",
+        "iam:ListMFADevices",
+        "iam:ListVirtualMFADevices",
+        "iam:ResyncMFADevice",
+        "sts:GetSessionToken"
       ],
       "Resource": "*",
       "Condition": {
@@ -119,6 +119,8 @@
         "guardduty:UpdateDetector",
         "guardduty:UpdateFindingsFeedback",
         "guardduty:UpdatePublishingDestination",
+        "guardduty:UpdateOrganizationConfiguration",
+        "guardduty:DisableOrganizationAdminAccount",
         "guardduty:CreateMembers",
         "guardduty:InviteMembers",
         "securityhub:AcceptInvitation",
@@ -133,6 +135,23 @@
         "securityhub:DisassociateMembers",
         "securityhub:DeleteActionTarget",
         "securityhub:BatchDisableStandards",
+        "securityhub:UpdateSecurityHubConfiguration",
+        "securityhub:UpdateStandardsControl",
+        "macie2:AcceptInvitation",
+        "macie2:CreateInvitations",
+        "macie2:CreateMember",
+        "macie2:DeclineInvitations",
+        "macie2:DeleteInvitations",
+        "macie2:DeleteMember",
+        "macie2:DisableMacie",
+        "macie2:DisableOrganizationAdminAccount",
+        "macie2:DisassociateFromMasterAccount",
+        "macie2:DisassociateMember",
+        "macie2:EnableMacie",
+        "macie2:EnableOrganizationAdminAccount",
+        "macie2:UpdateMacieSession",
+        "macie2:UpdateMemberSession",
+        "macie2:UpdateOrganizationConfiguration",
         "fms:DisassociateAdminAccount",
         "access-analyzer:DeleteAnalyzer",
         "account:EnableRegion",

reference-artifacts/SCPs/Quarantine-Deny-All.json

@@ -1,20 +1,20 @@
 {
   "Version": "2012-10-17",
   "Statement": [
-      {
-          "Sid": "DenyAllAWSServicesExceptBreakglassRoles",
-          "Effect": "Deny",
-          "Action": "*",
-          "Resource": "*",
-          "Condition": {
-              "ArnNotLike": {
-                  "aws:PrincipalARN": [
-                      "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
-                      "arn:aws:iam::*:role/aws*",
-                      "arn:aws:iam::*:role/PBMMAccel-*"
-                  ]
-              }
-          }
+    {
+      "Sid": "DenyAllAWSServicesExceptBreakglassRoles",
+      "Effect": "Deny",
+      "Action": "*",
+      "Resource": "*",
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
+            "arn:aws:iam::*:role/aws*",
+            "arn:aws:iam::*:role/PBMMAccel-*"
+          ]
+        }
       }
+    }
   ]
-}
+}

reference-artifacts/SCPs/Quarantine-New-Object.json

@@ -15,7 +15,8 @@
         "sns:Unsubscribe"
       ],
       "Resource":[
-        "arn:aws:sns:*:*:AWS-Landing-Zone*"
+        "arn:aws:sns:*:*:AWS-Landing-Zone*",
+        "arn:aws:sns:*:*:PBMMAccel-*"
       ],
       "Effect":"Deny",
       "Sid":"GRSNSSUBSCRIPTIONPOLICY"
@@ -36,7 +37,8 @@
         "cloudtrail:UpdateTrail"
       ],
       "Resource":[
-        "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*"
+        "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*",
+        "arn:aws:cloudtrail:*:*:trail/PBMMAccel-*"
       ],
       "Effect":"Deny",
       "Sid":"GRCLOUDTRAILENABLED"
@@ -58,7 +60,8 @@
         "sns:SetTopicAttributes"
       ],
       "Resource":[
-        "arn:aws:sns:*:*:AWS-Landing-Zone-*"
+        "arn:aws:sns:*:*:AWS-Landing-Zone-*",
+        "arn:aws:sns:*:*:PBMMAccel-*"
       ],
       "Effect":"Deny",
       "Sid":"GRSNSTOPICPOLICY"
@@ -162,7 +165,8 @@
         "events:DeleteRule"
       ],
       "Resource":[
-        "arn:aws:events:*:*:rule/AWS-Landing-Zone-*"
+        "arn:aws:events:*:*:rule/AWS-Landing-Zone-*",
+        "arn:aws:events:*:*:rule/PBMMAccel-*"
       ],
       "Effect":"Deny",
       "Sid":"GRCLOUDWATCHEVENTPOLICY"

reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json

@@ -1173,9 +1173,6 @@
       },
       "log-retention": 180,
       "limits": {
-        "AWS Organizations/Maximum accounts": {
-          "value": 20
-        }
       },
       "iam": {
         "users": [

reference-artifacts/config-pbmm-standalone-full.json

@@ -1116,9 +1116,6 @@
       },
       "log-retention": 180,
       "limits": {
-        "AWS Organizations/Maximum accounts": {
-          "value": 20
-        }
       },
       "iam": {
         "users": [

reference-artifacts/config-pbmm-standalone-lite.json

@@ -1185,9 +1185,6 @@
       },
       "log-retention": 180,
       "limits": {
-        "AWS Organizations/Maximum accounts": {
-          "value": 20
-        }
       },
       "iam": {
         "users": [