diff --git a/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json b/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json
index 32689b8..9c080b6 100644
--- a/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json
+++ b/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json
@@ -8,7 +8,10 @@
              "s3:*",
              "sqs:*",
              "kms:*",
-             "secretsmanager:*"
+             "secretsmanager:*",
+             "logs:*",
+             "dynamodb:*",
+             "ecr:*",
           ],
           "Resource":"*",
           "Condition":{
diff --git a/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json b/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json
index 1877854..0e17d79 100644
--- a/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json
+++ b/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json
@@ -15,7 +15,13 @@
                 "sts:GetFederationToken",
                 "sts:GetServiceBearerToken",
                 "sts:GetSessionToken",
-                "sts:SetContext"
+                "sts:SetContext",
+                "cognito-identity:*",
+                "cognito-idp:*",
+                "logs:*",
+                "dynamodb:*",
+                "ecr:*",
+                "aoss:*"
             ],
             "Resource": "*",
             "Condition": {
diff --git a/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json b/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json
index 8005cde..4d4d51d 100644
--- a/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json
+++ b/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json
@@ -6,12 +6,16 @@
             "Principal": "*",
             "Action": [
                 "s3:*",
-                "sqs:*",
+                "sts:*",
                 "kms:*",
+                "sqs:*",
                 "secretsmanager:*",
-                "sts:*",
-                "aoss:*",
-                "ecr:*"
+                "cognito-identity:*",
+                "cognito-idp:*",
+                "logs:*",
+                "dynamodb:*",
+                "ecr:*",
+                "aoss:*"
             ],
             "Resource": "*",
             "Condition": {
diff --git a/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json b/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json
index 7007531..7530da0 100644
--- a/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json
+++ b/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json
@@ -5,11 +5,17 @@
             "Effect": "Deny",
             "Principal": "*",
             "Action": [
-                "sts:*",
                 "s3:*",
+                "sts:*",
+                "kms:*",
                 "sqs:*",
                 "secretsmanager:*",
-                "kms:*"
+                "cognito-identity:*",
+                "cognito-idp:*",
+                "logs:*",
+                "dynamodb:*",
+                "ecr:*",
+                "aoss:*"
             ],
             "Resource": "*",
             "Condition": {
diff --git a/Service-specific-controls/README.md b/Service-specific-controls/README.md
index 23b50dc..d3a1196 100644
--- a/Service-specific-controls/README.md
+++ b/Service-specific-controls/README.md
@@ -46,7 +46,7 @@
 
 | Included Policy | Rationale | 
 |-------------|-------------|
-|[Protect EKS Pod Identities Session Tags](STS-ProtectEKSPodIdentitiesTags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". |
+|[Protect EKS Pod Identity Session Tags](STS-Protect-EKS-pod-identities-tags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". |
 |[Protect IAM Roles Anywhere Session Tags](STS-protect-IAMRA-session-tags.json) | Protect the session tags set by IAM Roles Anywhere. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the IAM Roles Anywhere session tags, while allowing the role-sessions assumed by IAM Roles Anywhere to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by IAM Roles Anywhere](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/AWS-IAMRolesAnywhere/Protect-IAMRA-Specific-Tags.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". |
 
 
diff --git a/Service-specific-controls/STS-ProtectEKSPodIdentitiesTags.json b/Service-specific-controls/STS-Protect-EKS-pod-identities-tags.json
similarity index 100%
rename from Service-specific-controls/STS-ProtectEKSPodIdentitiesTags.json
rename to Service-specific-controls/STS-Protect-EKS-pod-identities-tags.json