From 2fbbe2df60647c8dae69623a49faaa239e44e591 Mon Sep 17 00:00:00 2001 From: Swara Gandhi Date: Sun, 1 Mar 2026 16:05:27 -0500 Subject: [PATCH 1/3] AddedServicesAsSupportedbyRCPs Added cognito, dynamodb, ecr and opensearch serverless --- ...m-the-same-or-specified-organizational-unit.json | 5 ++++- ...e-belongs-to-a-specific-organizational-unit.json | 9 ++++++++- ...service-principals-to-access-your-resources.json | 13 +++++++++---- ...to-only-HTTPS-connections-to-your-resources.json | 11 +++++++++-- Service-specific-controls/README.md | 2 +- ...son => STS-Protect-EKS-pod-identities-tags.json} | 0 6 files changed, 31 insertions(+), 9 deletions(-) rename Service-specific-controls/{STS-ProtectEKSPodIdentitiesTags.json => STS-Protect-EKS-pod-identities-tags.json} (100%) diff --git a/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json b/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json index 32689b8..9c080b6 100644 --- a/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json +++ b/Establish-intra-organization-boundaries/Deny-access-to-resources-in-an-organizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json @@ -8,7 +8,10 @@ "s3:*", "sqs:*", "kms:*", - "secretsmanager:*" + "secretsmanager:*", + "logs:*", + "dynamodb:*", + "ecr:*", ], "Resource":"*", "Condition":{ diff --git a/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json b/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json index 1877854..2a330a9 100644 --- a/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json +++ b/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json @@ -15,7 +15,14 @@ "sts:GetFederationToken", "sts:GetServiceBearerToken", "sts:GetSessionToken", - "sts:SetContext" + "sts:SetContext", + "cognito-identity:*", + "cognito-idp:*", + "cognito-sync:*", + "logs:*", + "dynamodb:*", + "ecr:*", + "aoss:*" ], "Resource": "*", "Condition": { diff --git a/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json b/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json index 8005cde..3a21920 100644 --- a/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json +++ b/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json @@ -6,12 +6,17 @@ "Principal": "*", "Action": [ "s3:*", - "sqs:*", + "sts:*", "kms:*", + "sqs:*", "secretsmanager:*", - "sts:*", - "aoss:*", - "ecr:*" + "cognito-identity:*", + "cognito-idp:*", + "cognito-sync:*", + "logs:*", + "dynamodb:*", + "ecr:*", + "aoss:*" ], "Resource": "*", "Condition": { diff --git a/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json b/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json index 7007531..889a57b 100644 --- a/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json +++ b/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json @@ -5,11 +5,18 @@ "Effect": "Deny", "Principal": "*", "Action": [ - "sts:*", "s3:*", + "sts:*", + "kms:*", "sqs:*", "secretsmanager:*", - "kms:*" + "cognito-identity:*", + "cognito-idp:*", + "cognito-sync:*", + "logs:*", + "dynamodb:*", + "ecr:*", + "aoss:*" ], "Resource": "*", "Condition": { diff --git a/Service-specific-controls/README.md b/Service-specific-controls/README.md index ae01f94..445ebcd 100644 --- a/Service-specific-controls/README.md +++ b/Service-specific-controls/README.md @@ -45,7 +45,7 @@ | Included Policy | Rationale | |-------------|-------------| -|[Protect EKS Pod Identity Session Tags](STS-ProtectEKSPodIdentitiesTags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can makea request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". | +|[Protect EKS Pod Identity Session Tags](STS-Protect-EKS-pod-identities-tags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can makea request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". | diff --git a/Service-specific-controls/STS-ProtectEKSPodIdentitiesTags.json b/Service-specific-controls/STS-Protect-EKS-pod-identities-tags.json similarity index 100% rename from Service-specific-controls/STS-ProtectEKSPodIdentitiesTags.json rename to Service-specific-controls/STS-Protect-EKS-pod-identities-tags.json From 21b6c029b604085be091f736bc954d47123c77e1 Mon Sep 17 00:00:00 2001 From: Swara Gandhi Date: Mon, 9 Mar 2026 10:21:50 -0400 Subject: [PATCH 2/3] removed cognito-sync --- ...f-the-resource-belongs-to-a-specific-organizational-unit.json | 1 - ...ces-that-use-service-principals-to-access-your-resources.json | 1 - ...trict-access-to-only-HTTPS-connections-to-your-resources.json | 1 - 3 files changed, 3 deletions(-) diff --git a/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json b/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json index 2a330a9..0e17d79 100644 --- a/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json +++ b/Establish-intra-organization-boundaries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json @@ -18,7 +18,6 @@ "sts:SetContext", "cognito-identity:*", "cognito-idp:*", - "cognito-sync:*", "logs:*", "dynamodb:*", "ecr:*", diff --git a/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json b/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json index 3a21920..4d4d51d 100644 --- a/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json +++ b/Restrict-resource-access-patterns/Enforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json @@ -12,7 +12,6 @@ "secretsmanager:*", "cognito-identity:*", "cognito-idp:*", - "cognito-sync:*", "logs:*", "dynamodb:*", "ecr:*", diff --git a/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json b/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json index 889a57b..7530da0 100644 --- a/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json +++ b/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json @@ -12,7 +12,6 @@ "secretsmanager:*", "cognito-identity:*", "cognito-idp:*", - "cognito-sync:*", "logs:*", "dynamodb:*", "ecr:*", From 3b92471edb9f8ffaa213bda8397d65bc98925048 Mon Sep 17 00:00:00 2001 From: Swara Gandhi Date: Mon, 9 Mar 2026 11:16:08 -0400 Subject: [PATCH 3/3] Pulling changes to resolve the merge conflict --- Service-specific-controls/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Service-specific-controls/README.md b/Service-specific-controls/README.md index 445ebcd..8b9f601 100644 --- a/Service-specific-controls/README.md +++ b/Service-specific-controls/README.md @@ -45,7 +45,8 @@ | Included Policy | Rationale | |-------------|-------------| -|[Protect EKS Pod Identity Session Tags](STS-Protect-EKS-pod-identities-tags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can makea request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". | +|[Protect EKS Pod Identity Session Tags](STS-Protect-EKS-pod-identities-tags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". | +|[Protect IAM Roles Anywhere Session Tags](STS-protect-IAMRA-session-tags.json) | Protect the session tags set by IAM Roles Anywhere. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the IAM Roles Anywhere session tags, while allowing the role-sessions assumed by IAM Roles Anywhere to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by IAM Roles Anywhere](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/AWS-IAMRolesAnywhere/Protect-IAMRA-Specific-Tags.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". |