Merge pull request #17 from jplock/jp-new-policies

[feat] Add declarative policy
aws-samples · Feb 12, 2025 · 3e571e6 · 3e571e6
2 parents 9746c50 + 73180f7
commit 3e571e6
Show file tree

Hide file tree

Showing 3 changed files with 107 additions and 67 deletions.
diff --git a/policies/ai_opt_out_policy.json b/policies/ai_opt_out_policy.json
diff --git a/policies/ec2_declarative_policy.json b/policies/ec2_declarative_policy.json
diff --git a/template.yml b/template.yml
@@ -199,6 +199,113 @@ Resources:
       TargetIds:
         - !GetAtt rOrganization.RootId
       Type: RESOURCE_CONTROL_POLICY
+
+  rRootDeclarativePolicyEC2:
+    Type: "AWS::Organizations::Policy"
+    DependsOn: rActivateCustomResource
+    Properties:
+      Content: |-
+        {
+          "ec2_attributes": {
+            "allowed_images_settings": {
+              "state": {
+                "@@assign": "enabled"
+              },
+              "image_criteria": {
+                "criteria_1": {
+                  "allowed_image_providers": {
+                    "@@assign": [
+                      "amazon",
+                      "aws_marketplace",
+                      "aws_backup_vault"
+                    ]
+                  }
+                }
+              }
+            },
+            "image_block_public_access": {
+              "state": {
+                "@@assign": "block_new_sharing"
+              }
+            },
+            "instance_metadata_defaults": {
+              "http_tokens": {
+                "@@assign": "required"
+              },
+              "http_put_response_hop_limit": {
+                "@@assign": 2
+              },
+              "http_endpoint": {
+                "@@assign": "enabled"
+              },
+              "instance_metadata_tags": {
+                "@@assign": "enabled"
+              }
+            },
+            "serial_console_access": {
+              "status": {
+                "@@assign": "disabled"
+              }
+            },
+            "snapshot_block_public_access": {
+              "state": {
+                "@@assign": "block_all_sharing"
+              }
+            },
+            "vpc_block_public_access": {
+              "internet_gateway_block": {
+                "mode": {
+                  "@@assign": "off"
+                },
+                "exclusions_allowed": {
+                  "@@assign": "disabled"
+                }
+              }
+            }
+          }
+        }
+      Description: Enforce strong security practices
+      Name: RootPolicy
+      Tags:
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rRootDeclarativePolicyEC2
+      TargetIds:
+        - !GetAtt rOrganization.RootId
+      Type: DECLARATIVE_POLICY_EC2
+
+  rRootAIOptOutPolicy:
+    Type: "AWS::Organizations::Policy"
+    DependsOn: rActivateCustomResource
+    Properties:
+      Content: |-
+        {
+          "services": {
+            "@@operators_allowed_for_child_policies": ["@@none"],
+            "default": {
+              "@@operators_allowed_for_child_policies": ["@@none"],
+              "opt_out_policy": {
+                "@@operators_allowed_for_child_policies": ["@@none"],
+                "@@assign": "optOut"
+              }
+            }
+          }
+        }
+      Description: Opt-out of AI service data collection
+      Name: RootPolicy
+      Tags:
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rRootAIOptOutPolicy
+      # TargetIds:
+      #  - !GetAtt rOrganization.RootId
+      Type: AISERVICES_OPT_OUT_POLICY
 
   rExceptionsOu:
     Type: "AWS::Organizations::OrganizationalUnit"