aws.org-unit

Filters

• event

• finding

• list-item

• ops-item

• org-unit

• policy

• reduce

• value

Actions

• invoke-lambda

• invoke-sfn

• notify

• post-finding

• post-item

• put-metric

• set-policy

• webhook

set-policy

Set a policy on an org unit or account

policies:
  - name: attach-existing-scp
    resource: aws.org-unit
    filters:
      - type: policy
        policy-type: SERVICE_CONTROL_POLICY
        count: 0
        attrs:
          - Name: RestrictedRootAccount
    actions:
      - type: set-policy
        policy-type: SERVICE_CONTROL_POLICY
        name: RestrictedRootAccount

policies:
  - name: create-and-attach-scp
    resource: aws.org-unit
    filters:
      - type: policy
        policy-type: SERVICE_CONTROL_POLICY
        count: 0
        attrs:
          - Name: RestrictedRootAccount
    actions:
      - type: set-policy
        policy-type: SERVICE_CONTROL_POLICY
        name: RestrictedRootAccount
        contents:
          Version: "2012-10-17"
          Statement:
            - Sid: RestrictEC2ForRoot
              Effect: Deny
              Action:
                - "ec2:*"
              Resource:
                - "*"
              Condition:
                StringLike:
                  "aws:PrincipalArn":
                    - arn:aws:iam::*:root

properties:
  contents:
    type: object
  description:
    type: string
  name:
    type: string
  policy-type:
    enum:
    - SERVICE_CONTROL_POLICY
    - TAG_POLICY
    - BACKUP_POLICY
    - AISERVICES_OPT_OUT_POLICY
  tags:
    patternProperties:
      ? ''
      : type: string
    type: object
  type:
    enum:
    - set-policy
required:
- name
- policy-type
- type

Permissions - organizations:AttachPolicy, organizations:CreatePolicy