티스토리 뷰
1. Guardrail : Disallow deletion of log archive
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAUDITBUCKETDELETIONPROHIBITED",
"Effect": "Deny",
"Action": [
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::aws-controltower*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}2. Guardrail : Disallow Changes to Encryption Configuration for Amazon S3 Buckets (선택적)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAUDITBUCKETENCRYPTIONENABLED",
"Effect": "Deny",
"Action": [
"s3:PutEncryptionConfiguration"
],
"Resource": ["*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}3. Guardrail : Disallow Changes to Logging Configuration for Amazon S3 Buckets (선택적)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAUDITBUCKETLOGGINGENABLED",
"Effect": "Deny",
"Action": [
"s3:PutBucketLogging"
],
"Resource": ["*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}4. Guardrail : Disallow Changes to Bucket Policy for Amazon S3 Buckets (선택적)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAUDITBUCKETPOLICYCHANGESPROHIBITED",
"Effect": "Deny",
"Action": [
"s3:PutBucketPolicy"
],
"Resource": ["*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}5. Guardrail : Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets (선택적)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAUDITBUCKETRETENTIONPOLICY",
"Effect": "Deny",
"Action": [
"s3:PutLifecycleConfiguration"
],
"Resource": ["*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}6. Guardrail : Disallow configuration changes to CloudTrail
7. Guardrail : Integrate CloudTrail events with CloudWatch Logs
8. Guardrail : Enable CloudTrail in all available regions
9. Guardrail : Enable integrity validation for CloudTrail log file
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCLOUDTRAILENABLED",
"Effect": "Deny",
"Action": [
"cloudtrail:DeleteTrail",
"cloudtrail:PutEventSelectors",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail"
],
"Resource": [
"arn:aws:cloudtrail:*:*:trail/aws-controltower-*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}10. Guardrail : Disallow changes to Amazon CloudWatch set up by AWS Control Tower
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCLOUDWATCHEVENTPOLICY",
"Effect": "Deny",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:DisableRule",
"events:DeleteRule"
],
"Resource": [
"arn:aws:events:*:*:rule/aws-controltower-*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}11. Guardrail : Disallow deletion of AWS Config Aggregation Authorizations created by AWS Control Tower
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCONFIGAGGREGATIONAUTHORIZATIONPOLICY",
"Effect": "Deny",
"Action": [
"config:DeleteAggregationAuthorization"
],
"Resource": [
"arn:aws:config:*:*:aggregation-authorization*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/AWSControlTowerExecution"
},
"StringLike": {
"aws:ResourceTag/aws-control-tower": "managed-by-control-tower"
}
}
}
]
}12. Guardrail : Disallow changes to tags created by AWS Control Tower for AWS Config resources
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCONFIGRULETAGSPOLICY",
"Effect": "Deny",
"Action": [
"config:TagResource",
"config:UntagResource"
],
"Resource": ["*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "aws-control-tower"
}
}
}
]
}13. Guardrail : Disallow configuration changes to AWS Config
14. Guardrail : Enable AWS Config in all available regions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCONFIGENABLED",
"Effect": "Deny",
"Action": [
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DeleteRetentionConfiguration",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:PutRetentionConfiguration",
"config:StopConfigurationRecorder"
],
"Resource": ["*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}15. Guardrail : Disallow changes to AWS Config Rules set up by AWS Control Tower
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCONFIGRULEPOLICY",
"Effect": "Deny",
"Action": [
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:DeleteEvaluationResults",
"config:DeleteConfigurationAggregator",
"config:PutConfigurationAggregator"
],
"Resource": ["*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
},
"StringEquals": {
"aws:ResourceTag/aws-control-tower": "managed-by-control-tower"
}
}
}
]
}16. Guardrail : Disallow Changes to Encryption Configuration for AWS Control Tower Created S3 Buckets in Log Archive
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCTAUDITBUCKETENCRYPTIONCHANGESPROHIBITED",
"Effect": "Deny",
"Action": [
"s3:PutEncryptionConfiguration"
],
"Resource": ["arn:aws:s3:::aws-controltower*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}17. Disallow changes to lifecycle configuration for AWS Control Tower created Amazon S3 buckets in log archive
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCTAUDITBUCKETLIFECYCLECONFIGURATIONCHANGESPROHIBITED",
"Effect": "Deny",
"Action": [
"s3:PutLifecycleConfiguration"
],
"Resource": ["arn:aws:s3:::aws-controltower*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}18. Guardrail : Disallow changes to logging configuration for AWS Control Tower created Amazon S3 buckets in log archive
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCTAUDITBUCKETLOGGINGCONFIGURATIONCHANGESPROHIBITED",
"Effect": "Deny",
"Action": [
"s3:PutBucketLogging"
],
"Resource": ["arn:aws:s3:::aws-controltower*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}19. Disallow changes to bucket policy for AWS Control Tower created Amazon S3 buckets in log archive
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCTAUDITBUCKETPOLICYCHANGESPROHIBITED",
"Effect": "Deny",
"Action": [
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy"
],
"Resource": ["arn:aws:s3:::aws-controltower*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}20. Disallow changes to AWS IAM roles set up by AWS Control Tower and AWS CloudFormation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRIAMROLEPOLICY",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/aws-controltower-*",
"arn:aws:iam::*:role/*AWSControlTower*",
"arn:aws:iam::*:role/stacksets-exec-*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/AWSControlTowerExecution",
"arn:aws:iam::*:role/stacksets-exec-*"
]
}
}
}
]
}
'퍼블릭클라우드 > AWS' 카테고리의 다른 글
- Total
- Today
- Yesterday
- AWS #CIS
- IAM
- scp
- platform
- steampipe
- CIS
- web
- findinglatestversion
- aws
- opensource
- stateType
- temlate
- conftest policy
- .get()
- Cloud
- 2xx
- cloudsecurity
- ViaAWSService
- defaulttheme
- 4xx
- 우주와컴퓨터
- 계정정보저장
- REACT
- terraform
- teplate
- fleet manager
- security
- ControlTower
- JavaScript
- compliance
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |