aws-samples · SwaraGandhi · Mar 11, 2026 · Mar 1, 2026 · Mar 9, 2026 · Mar 9, 2026
diff --git a/...nizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json b/...nizational-unit,except-for-principals-from-the-same-or-specified-organizational-unit.json
@@ -8,7 +8,10 @@
              "s3:*",
              "sqs:*",
              "kms:*",
-             "secretsmanager:*"
+             "secretsmanager:*",
+             "logs:*",
+             "dynamodb:*",
+             "ecr:*",
           ],
           "Resource":"*",
           "Condition":{

diff --git a/...aries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json b/...aries/Deny-resource-access-if-the-resource-belongs-to-a-specific-organizational-unit.json
@@ -15,7 +15,13 @@
                 "sts:GetFederationToken",
                 "sts:GetServiceBearerToken",
                 "sts:GetSessionToken",
-                "sts:SetContext"
+                "sts:SetContext",
+                "cognito-identity:*",
+                "cognito-idp:*",
+                "logs:*",
+                "dynamodb:*",
+                "ecr:*",
+                "aoss:*"
             ],
             "Resource": "*",
             "Condition": {

diff --git a/...nforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json b/...nforce-controls-on-AWS-services-that-use-service-principals-to-access-your-resources.json
@@ -6,12 +6,16 @@
             "Principal": "*",
             "Action": [
                 "s3:*",
-                "sqs:*",
+                "sts:*",
                 "kms:*",
+                "sqs:*",
                 "secretsmanager:*",
-                "sts:*",
-                "aoss:*",
-                "ecr:*"
+                "cognito-identity:*",
+                "cognito-idp:*",
+                "logs:*",
+                "dynamodb:*",
+                "ecr:*",
+                "aoss:*"
             ],
             "Resource": "*",
             "Condition": {

diff --git a/...resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json b/...resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json
@@ -5,11 +5,17 @@
             "Effect": "Deny",
             "Principal": "*",
             "Action": [
-                "sts:*",
                 "s3:*",
+                "sts:*",
+                "kms:*",
                 "sqs:*",
                 "secretsmanager:*",
-                "kms:*"
+                "cognito-identity:*",
+                "cognito-idp:*",
+                "logs:*",
+                "dynamodb:*",
+                "ecr:*",
+                "aoss:*"
             ],
             "Resource": "*",
             "Condition": {

diff --git a/Service-specific-controls/README.md b/Service-specific-controls/README.md
@@ -46,7 +46,7 @@
 
 | Included Policy | Rationale | 
 |-------------|-------------|
-|[Protect EKS Pod Identities Session Tags](STS-ProtectEKSPodIdentitiesTags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". |
+|[Protect EKS Pod Identity Session Tags](STS-Protect-EKS-pod-identities-tags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by EKS pod identities](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/Amazon-EKS/ProtectPodIdentitiesTagsOnRolesAndUsers.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". |
 |[Protect IAM Roles Anywhere Session Tags](STS-protect-IAMRA-session-tags.json) | Protect the session tags set by IAM Roles Anywhere. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the IAM Roles Anywhere session tags, while allowing the role-sessions assumed by IAM Roles Anywhere to continue to set them as transitive session tags. This pairs well with a [service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and values by IAM Roles Anywhere](https://github.com/aws-samples/service-control-policy-examples/blob/main/Service-specific-controls/AWS-IAMRolesAnywhere/Protect-IAMRA-Specific-Tags.json). The logic is that "Only an AWS service Principal can make a request for a role-session with any of those tags, or a session/role/user that already has one of those tags set". |
 
 

diff --git a/...rols/STS-ProtectEKSPodIdentitiesTags.json → .../STS-Protect-EKS-pod-identities-tags.json b/...rols/STS-ProtectEKSPodIdentitiesTags.json → .../STS-Protect-EKS-pod-identities-tags.json