Add SCP policies and update some

Author: snemetz

modules/scp/README.md

@@ -35,6 +35,7 @@ No modules.
 | [aws_organizations_policy.deny_guardduty_modify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_member_leaving](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_s3_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
+| [aws_organizations_policy.deny_s3_unsecure_requests](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_securityhub_disable](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.require_s3_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 

modules/scp/REFERENCES.txt

@@ -0,0 +1,3 @@
+
+https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html
+https://github.com/ScaleSec/terraform_aws_scp

modules/scp/files/deny-cloudtrail-tamper.json

@@ -6,8 +6,8 @@
       "Effect": "Deny",
       "Action": [
         "cloudtrail:DeleteTrail",
-        "cloudtrail:StopLogging",
         "cloudtrail:PutEventSelectors",
+        "cloudtrail:StopLogging",
         "cloudtrail:UpdateTrail"
       ],
       "Resource": [

modules/scp/files/deny-config-modify.json

@@ -6,8 +6,11 @@
       "Effect": "Deny",
       "Action": [
         "config:DeleteConfigRule",
+        "config:DeleteConfigurationAggregator",
         "config:DeleteConfigurationRecorder",
         "config:DeleteDeliveryChannel",
+        "config:DeleteEvaluationResults",
+        "config:DeleteRetentionConfiguration",
         "config:StopConfigurationRecorder"
       ],
       "Resource": "*"

modules/scp/files/deny-s3-unsecure-requests.json

@@ -0,0 +1,18 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenyS3UnsecureRequests",
+      "Effect": "Deny",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      }
+    }
+  ]
+}

modules/scp/files/require-s3-encryption.json

@@ -8,7 +8,7 @@
       "Resource": "*",
       "Condition": {
         "StringNotEquals": {
-          "s3:x-amz-server-side-encryption": "AES256"
+          "s3:x-amz-server-side-encryption": ["AES256", "aws:kms"]
         }
       }
     },

modules/scp/main.tf

@@ -113,6 +113,14 @@ resource "aws_organizations_policy" "deny_s3_public" {
   type        = "SERVICE_CONTROL_POLICY"
   content     = file("${path.module}/files/deny-s3-public.json")
 }
+resource "aws_organizations_policy" "deny_s3_unsecure_requests" {
+  count       = local.enable && var.enable_s3 ? 1 : 0
+  name        = "deny_s3_unsecure_requests"
+  description = "Prevent S3 unsecured requests"
+  tags        = var.tags
+  type        = "SERVICE_CONTROL_POLICY"
+  content     = file("${path.module}/files/deny-s3-unsecure-requests.json")
+}
 resource "aws_organizations_policy" "require_s3_encryption" {
   count       = local.enable && var.enable_s3 ? 1 : 0
   name        = "require_s3_encryption"