mnanchev · November 16, 2021 07:59
diff --git a/scp.json b/scp.json
 {
 	"Version": "2012-10-17",
 	"Statement": [
 		{
 			"Sid": "RegionRestriction",
 			"Effect": "Deny",
 			"NotAction": [
 				"apigateway:*",
 				"amplify:*",
 				"amplifybackend:*",
 				"access-analyzer:*",
 				"appmesh:*",
 				"discovery:*",
 				"application-autoscaling:*",
 				"auditmanager:*",
 				"athena:*",
 				"artifact:*",
 				"backup:*",
 				"autoscaling-plans:*",
 				"backup-storage:*",
 				"aws-portal:*",
 				"budgets:*",
 				"acm:*",
 				"cloudformation:*",
 				"cloudtrail:*",
 				"logs:*",
 				"servicediscovery:*",
 				"cloudwatch:*",
 				"synthetics:*",
 				"applicationinsights:*",
 				"cloudshell:*",
 				"cognito-identity:*",
 				"cognito-sync:*",
 				"cognito-idp:*",
 				"ce:*",
 				"cur:*",
 				"config:*",
 				"securityhub:*",
 				"macie2:*",
 				"guardduty:*",
 				"ec2:*",
 				"autoscaling:*",
 				"ec2-instance-connect:*",
 				"dynamodb:*",
 				"dax:*",
 				"rds:*",
 				"elasticfilesystem:*",
 				"elasticloadbalancing:*",
 				"ebs:*",
 				"ecr:*",
 				"ecr-public:*",
 				"ecs:*",
 				"events:*",
 				"schemas:*",
 				"execute-api:*",
 				"kinesis:*",
 				"kinesisanalytics:*",
 				"kinesisvideo:*",
 				"lambda:*",
 				"s3-object-lambda:*",
 				"kms:*",
 				"firehose:*",
 				"ses:*",
 				"route53:*",
 				"route53domains:*",
 				"s3:*",
 				"ram:*",
 				"xray:*",
 				"docdb:*",
 				"sqs:*",
 				"savingsplans:*",
 				"compute-optimizer:*",
 				"ssm:*",
 				"support:*",
 				"trustedadvisor:*",
 				"waf:*",
 				"wellarchitected:*",
 				"ssmmessages:*",
 				"cloudfront:*",
 				"iam:*",
 				"sts:*"
 			],
 			"Resource": "*",
 			"Condition": {
 				"StringNotEquals": {
 					"aws:RequestedRegion": [
 						"eu-central-1",
 						"eu-west-1"
 					]
 				}
 			}
 		},
 		{
 			"Sid": "DenyDisablingSecurityHub",
 			"Effect": "Deny",
 			"Action": [
 				"securityhub:DeleteInvitations",
 				"securityhub:DisableSecurityHub",
 				"securityhub:DisassociateFromMasterAccount",
 				"securityhub:DeleteMembers",
 				"securityhub:DisassociateMembers",
 				"securityhub:BatchDisableStandards"
 			],
 			"Resource": "*"
 		},
 		{
 			"Sid": "DenyLeavingOrg",
 			"Effect": "Deny",
 			"Action": "organizations:LeaveOrganization",
 			"Resource": "*"
 		},
 		{
 			"Sid": "DenyDeletingCloudTrailLogStream",
 			"Effect": "Deny",
 			"Action": [
 				"logs:DeleteLogStream"
 			],
 			"Resource": [
 				"arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*"
 			]
 		}
 	]
 }
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "RegionRestriction",
	"Effect": "Deny",
	"NotAction": [
	"apigateway:*",
	"amplify:*",
	"amplifybackend:*",
	"access-analyzer:*",
	"appmesh:*",
	"discovery:*",
	"application-autoscaling:*",
	"auditmanager:*",
	"athena:*",
	"artifact:*",
	"backup:*",
	"autoscaling-plans:*",
	"backup-storage:*",
	"aws-portal:*",
	"budgets:*",
	"acm:*",
	"cloudformation:*",
	"cloudtrail:*",
	"logs:*",
	"servicediscovery:*",
	"cloudwatch:*",
	"synthetics:*",
	"applicationinsights:*",
	"cloudshell:*",
	"cognito-identity:*",
	"cognito-sync:*",
	"cognito-idp:*",
	"ce:*",
	"cur:*",
	"config:*",
	"securityhub:*",
	"macie2:*",
	"guardduty:*",
	"ec2:*",
	"autoscaling:*",
	"ec2-instance-connect:*",
	"dynamodb:*",
	"dax:*",
	"rds:*",
	"elasticfilesystem:*",
	"elasticloadbalancing:*",
	"ebs:*",
	"ecr:*",
	"ecr-public:*",
	"ecs:*",
	"events:*",
	"schemas:*",
	"execute-api:*",
	"kinesis:*",
	"kinesisanalytics:*",
	"kinesisvideo:*",
	"lambda:*",
	"s3-object-lambda:*",
	"kms:*",
	"firehose:*",
	"ses:*",
	"route53:*",
	"route53domains:*",
	"s3:*",
	"ram:*",
	"xray:*",
	"docdb:*",
	"sqs:*",
	"savingsplans:*",
	"compute-optimizer:*",
	"ssm:*",
	"support:*",
	"trustedadvisor:*",
	"waf:*",
	"wellarchitected:*",
	"ssmmessages:*",
	"cloudfront:*",
	"iam:*",
	"sts:*"
	],
	"Resource": "*",
	"Condition": {
	"StringNotEquals": {
	"aws:RequestedRegion": [
	"eu-central-1",
	"eu-west-1"
	]
	}
	}
	},
	{
	"Sid": "DenyDisablingSecurityHub",
	"Effect": "Deny",
	"Action": [
	"securityhub:DeleteInvitations",
	"securityhub:DisableSecurityHub",
	"securityhub:DisassociateFromMasterAccount",
	"securityhub:DeleteMembers",
	"securityhub:DisassociateMembers",
	"securityhub:BatchDisableStandards"
	],
	"Resource": "*"
	},
	{
	"Sid": "DenyLeavingOrg",
	"Effect": "Deny",
	"Action": "organizations:LeaveOrganization",
	"Resource": "*"
	},
	{
	"Sid": "DenyDeletingCloudTrailLogStream",
	"Effect": "Deny",
	"Action": [
	"logs:DeleteLogStream"
	],
	"Resource": [
	"arn:aws:logs:::log-group:aws-controltower/CloudTrailLogs:*"
	]
	}
	]
	}