aws.org-account

Filters

• cfn-stack

• event

• finding

• list-item

• ops-item

• org-unit

• ou

• policy

• reduce

• value

cfn-stack

properties:
  present:
    type: boolean
  regions:
    elements:
      type: string
    type: array
  stack_names:
    elements:
      type: string
    type: array
  status:
    items:
      enum:
      - CREATE_IN_PROGRESS
      - CREATE_FAILED
      - CREATE_COMPLETE
      - ROLLBACK_IN_PROGRESS
      - ROLLBACK_FAILED
      - ROLLBACK_COMPLETE
      - DELETE_IN_PROGRESS
      - DELETE_FAILED
      - DELETE_COMPLETE
      - UPDATE_IN_PROGRESS
      - UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
      - UPDATE_COMPLETE
      - UPDATE_ROLLBACK_IN_PROGRESS
      - UPDATE_ROLLBACK_FAILED
      - UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS
      - UPDATE_ROLLBACK_COMPLETE
      - REVIEW_IN_PROGRESS
      - IMPORT_IN_PROGRESS
      - IMPORT_COMPLETE
      - IMPORT_ROLLBACK_IN_PROGRESS
      - IMPORT_ROLLBACK_FAILED
      - IMPORT_ROLLBACK_COMPLETE
    type: array
  type:
    enum:
    - cfn-stack
required:
- type

Permissions - sts:AssumeRole, cloudformation:DescribeStacks

ou

properties:
  type:
    enum:
    - ou
  units:
    items:
      type: string
    type: array
required:
- type

Permissions - organizations:ListChildren

Actions

• invoke-lambda

• invoke-sfn

• notify

• post-finding

• post-item

• put-metric

• set-policy

• webhook

set-policy

Set a policy on an org unit or account

policies:
  - name: attach-existing-scp
    resource: aws.org-unit
    filters:
      - type: policy
        policy-type: SERVICE_CONTROL_POLICY
        count: 0
        attrs:
          - Name: RestrictedRootAccount
    actions:
      - type: set-policy
        policy-type: SERVICE_CONTROL_POLICY
        name: RestrictedRootAccount

policies:
  - name: create-and-attach-scp
    resource: aws.org-unit
    filters:
      - type: policy
        policy-type: SERVICE_CONTROL_POLICY
        count: 0
        attrs:
          - Name: RestrictedRootAccount
    actions:
      - type: set-policy
        policy-type: SERVICE_CONTROL_POLICY
        name: RestrictedRootAccount
        contents:
          Version: "2012-10-17"
          Statement:
            - Sid: RestrictEC2ForRoot
              Effect: Deny
              Action:
                - "ec2:*"
              Resource:
                - "*"
              Condition:
                StringLike:
                  "aws:PrincipalArn":
                    - arn:aws:iam::*:root

properties:
  contents:
    type: object
  description:
    type: string
  name:
    type: string
  policy-type:
    enum:
    - SERVICE_CONTROL_POLICY
    - TAG_POLICY
    - BACKUP_POLICY
    - AISERVICES_OPT_OUT_POLICY
  tags:
    patternProperties:
      ? ''
      : type: string
    type: object
  type:
    enum:
    - set-policy
required:
- name
- policy-type
- type

Permissions - organizations:AttachPolicy, organizations:CreatePolicy