-
Notifications
You must be signed in to change notification settings - Fork 8
/
SandboxGuardrail.scp
111 lines (111 loc) · 3.18 KB
/
SandboxGuardrail.scp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitEC2InstanceType",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotLike": {
"ec2:InstanceType": [
"t2.*",
"t3.*",
"t4g.*",
"m5.large",
"m5d.large",
"m6g.medium",
"m6g.large"
]
}
}
},
{
"Sid": "LimitRDSInstanceType",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance"
],
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"rds:DatabaseClass": [
"db.m5.large",
"db.r5.large",
"db.t2.*",
"db.t3.*",
"db.t4g.*",
"db.serverless"
]
}
}
},
{
"Sid": "RestrictRegion",
"Effect": "Deny",
"Action": [
"autoscaling:Create*",
"backup:Create*",
"batch:Create*",
"cloudformation:Create*",
"cloudsearch:Create*",
"cognito-idp:Create*",
"dynamodb:Create*",
"ec2:Create*",
"ec2:Run*",
"ecr:Create*",
"ecs:Create*",
"eks:Create*",
"elasticbeanstalk:Create*",
"elasticfilesystem:Create*",
"elasticloadbalancing:Create*",
"elasticmapreduce:Run*",
"es:Create*",
"firehose:Create*",
"iot:Create*",
"kinesis:Create*",
"kinesisanalytics:Create*",
"lambda:Create*",
"lightsail:Create*",
"machinelearning:Create*",
"managedblockchain:Create*",
"rds:Create*",
"redshift:Create*",
"sagemaker:Create*",
"sagemaker:Start*",
"secretsmanager:Create*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEqualsIfExists": {
"aws:RequestedRegion": [
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
]
}
}
},
{
"Sid": "PreventCreatingExpensiveThings",
"Effect": "Deny",
"Action": [
"acm-pca:*",
"glue:CreateDevEndpoint",
"glue:CreateSession"
],
"Resource": [
"*"
]
}
]
}