From a2a4f715449ab13e3548907fd9c27e4d09be9703 Mon Sep 17 00:00:00 2001 From: Swara Gandhi Date: Sun, 1 Mar 2026 16:55:45 -0500 Subject: [PATCH] Add new services as supported by RCPs and VPCEOrgID. --- .../identity_perimeter_rcp.json | 28 +++++++++++------ .../network_perimeter_sourcevpc_rcp.json | 30 +++++++++++-------- .../network_perimeter_vpceorgid_rcp.json | 5 +++- .../network_perimeter_vpceorgid_scp.json | 19 +++++++++++- 4 files changed, 59 insertions(+), 23 deletions(-) diff --git a/resource_control_policies/identity_perimeter_rcp.json b/resource_control_policies/identity_perimeter_rcp.json index be8c419..019c4c3 100644 --- a/resource_control_policies/identity_perimeter_rcp.json +++ b/resource_control_policies/identity_perimeter_rcp.json @@ -7,9 +7,6 @@ "Principal": "*", "Action": [ "s3:*", - "sqs:*", - "kms:*", - "secretsmanager:*", "sts:AssumeRole", "sts:DecodeAuthorizationMessage", "sts:GetAccessKeyInfo", @@ -17,8 +14,16 @@ "sts:GetServiceBearerToken", "sts:GetSessionToken", "sts:SetContext", - "aoss:*", - "ecr:*" + "kms:*", + "sqs:*", + "secretsmanager:*", + "cognito-identity:*", + "cognito-idp:*", + "cognito-sync:*", + "logs:*", + "dynamodb:*", + "ecr:*", + "aoss:*" ], "Resource": "*", "Condition": { @@ -72,12 +77,17 @@ "Principal": "*", "Action": [ "s3:*", - "sqs:*", + "sts:*", "kms:*", + "sqs:*", "secretsmanager:*", - "sts:*", - "aoss:*", - "ecr:*" + "cognito-identity:*", + "cognito-idp:*", + "cognito-sync:*", + "logs:*", + "dynamodb:*", + "ecr:*", + "aoss:*" ], "Resource": "*", "Condition": { diff --git a/resource_control_policies/network_perimeter_sourcevpc_rcp.json b/resource_control_policies/network_perimeter_sourcevpc_rcp.json index 341d7a4..60e2d29 100644 --- a/resource_control_policies/network_perimeter_sourcevpc_rcp.json +++ b/resource_control_policies/network_perimeter_sourcevpc_rcp.json @@ -6,7 +6,11 @@ "Effect": "Deny", "Principal": "*", "Action": [ - "sqs:*", + "aoss:*", + "cognito-idp:*", + "cognito-sync:*", + "dynamodb:*", + "logs:*", "secretsmanager:*", "sts:AssumeRole", "sts:DecodeAuthorizationMessage", @@ -14,9 +18,7 @@ "sts:GetFederationToken", "sts:GetServiceBearerToken", "sts:GetSessionToken", - "sts:SetContext", - "aoss:*", - "ecr:*" + "sts:SetContext" ], "Resource": "*", "Condition": { @@ -53,7 +55,11 @@ "Effect": "Deny", "Principal": "*", "Action": [ - "sqs:*", + "aoss:*", + "cognito-idp:*", + "cognito-sync:*", + "dynamodb:*", + "logs:*", "secretsmanager:*", "sts:AssumeRole", "sts:DecodeAuthorizationMessage", @@ -61,9 +67,7 @@ "sts:GetFederationToken", "sts:GetServiceBearerToken", "sts:GetSessionToken", - "sts:SetContext", - "aoss:*", - "ecr:*" + "sts:SetContext" ], "Resource": "*", "Condition": { @@ -80,7 +84,11 @@ "Effect": "Deny", "Principal": "*", "Action": [ - "sqs:*", + "aoss:*", + "cognito-idp:*", + "cognito-sync:*", + "dynamodb:*", + "logs:*", "secretsmanager:*", "sts:AssumeRole", "sts:DecodeAuthorizationMessage", @@ -88,9 +96,7 @@ "sts:GetFederationToken", "sts:GetServiceBearerToken", "sts:GetSessionToken", - "sts:SetContext", - "aoss:*", - "ecr:*" + "sts:SetContext" ], "Resource": "*", "Condition": { diff --git a/resource_control_policies/network_perimeter_vpceorgid_rcp.json b/resource_control_policies/network_perimeter_vpceorgid_rcp.json index 9c86e40..18cb60f 100644 --- a/resource_control_policies/network_perimeter_vpceorgid_rcp.json +++ b/resource_control_policies/network_perimeter_vpceorgid_rcp.json @@ -6,8 +6,11 @@ "Effect": "Deny", "Principal": "*", "Action": [ + "cognito-identity:*", + "ecr:*", + "kms:*", "s3:*", - "kms:*" + "sqs:*" ], "Resource": "*", "Condition": { diff --git a/service_control_policies/network_perimeter_vpceorgid_scp.json b/service_control_policies/network_perimeter_vpceorgid_scp.json index 61c0bec..218f25b 100644 --- a/service_control_policies/network_perimeter_vpceorgid_scp.json +++ b/service_control_policies/network_perimeter_vpceorgid_scp.json @@ -9,33 +9,50 @@ "applicationinsights:*", "apprunner:*", "athena:*", + "b2bi:*", + "cassandra:*", "cloudformation:*", + "cognito-identity:*", "comprehendmedical:*", "compute-optimizer:*", "datasync:*", "discovery:*", + "dms:*", + "ds-data:*", "ebs:*", + "ecr:*", + "ecs:*", "firehose:*", "healthlake:*", + "identitystore:*", "iotfleetwise:*", + "iottwinmaker:*", "iotwireless:*", + "kinesisanalytics:*", "kms:*", "lambda:*", "medical-imaging:*", + "network-firewall:*", "omics:*", "payment-cryptography:*", "polly:*", + "pricing:*", "rbin:*", "rekognition:*", + "route53:*", "s3:*", "scheduler:*", "servicediscovery:*", "servicequotas:*", + "ses:*", + "sms-voice:*", + "sqs:*", "ssm-contacts:*", "storagegateway:*", "textract:*", "transcribe:*", - "transfer:*" + "transfer:*", + "workmail:*" ], "Resource":"*", "Condition":{