SCP-Updates (#419)

* SCP-Updates
- Protect CWL SUbscription filters
- Enforce EFS encryption (new)
- Protect SSM settings
- Protect Accelerator KMS keys
- Further Protect Accelerator Log Groups
- Add note on throttling issue with interface endpoints
- add-policy-protection-accel-policies

Author: Brian969

docs/installation/installation.md

@@ -427,6 +427,7 @@ Finally, while we started with a goal of delivering on the 12 guardrails, we bel
 - Security Group names were designed to be identical between environments, if you want the VPC name in the SG name, you need to do it manually in the config file
 - We only support the subset of yaml that converts to JSON (we do not support anchors)
 - We do NOT support changing the `organization-admin-role`, this value must be set to `AWSCloudFormationStackSetExecutionRole` at this time.
+- Adding more than approximately 50 _new_ VPC Interface Endpoints across _all_ regions in any one account in any single state machine execution will cause the state machine to fail due to Route 53 throttling errors. If adding endpoints at scale, only deploy 1 region at a time. In this scenario, the stack(s) will fail to properly delete, also based on the throttling, and will require manual removal.
 
 ## 3.3. Considerations: Importing existing AWS Accounts / Deploying Into Existing AWS Organizations
 

reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json

@@ -121,7 +121,7 @@
       }
     },
     {
-      "Sid": "DenyKeyRoles",
+      "Sid": "DenyRoles",
       "Effect": "Deny",
       "Action": ["iam:*"],
       "Resource": [
@@ -139,7 +139,7 @@
       }
     },
     {
-      "Sid": "DenySSMDel",
+      "Sid": "DenySSM",
       "Effect": "Deny",
       "Action": [
         "ssm:DeleteParameter",
@@ -164,7 +164,7 @@
       }
     },
     {
-      "Sid": "DenyLogDel",
+      "Sid": "DenyLog",
       "Effect": "Deny",
       "Action": [
         "ec2:DeleteFlowLogs",
@@ -176,6 +176,7 @@
         "logs:DeleteLogDelivery",
         "logs:DeleteDestination",
         "logs:PutRetentionPolicy",
+        "logs:PutSubscriptionFilter",
         "logs:DeleteLogStream"
       ],
       "Resource": "*",
@@ -189,7 +190,7 @@
       }
     },
     {
-      "Sid": "DenyLeaveOrg",
+      "Sid": "DenyOrg",
       "Effect": "Deny",
       "Action": "organizations:LeaveOrganization",
       "Resource": "*"

reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json

@@ -2,7 +2,7 @@
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "BlockMarketplacePMP",
+      "Sid": "BlockPMP",
       "Effect": "Deny",
       "Action": [
         "aws-marketplace:CreatePrivateMarketplace",
@@ -40,7 +40,7 @@
       }
     },
     {
-      "Sid": "EnforceEbsEncryption",
+      "Sid": "EbsEncrypt1",
       "Effect": "Deny",
       "Action": "ec2:RunInstances",
       "Resource": "arn:aws:ec2:*:*:volume/*",
@@ -51,7 +51,7 @@
       }
     },
     {
-      "Sid": "EnforceEBSVolumeEncryption",
+      "Sid": "EBSEncrypt2",
       "Effect": "Deny",
       "Action": "ec2:CreateVolume",
       "Resource": "*",
@@ -62,7 +62,18 @@
       }
     },
     {
-      "Sid": "EnforceRdsEncryption",
+      "Sid": "EFSEncrypt",
+      "Effect": "Deny",
+      "Action": "elasticfilesystem:CreateFileSystem",
+      "Resource": "*",
+      "Condition": {
+        "Bool": {
+          "elasticfilesystem:Encrypted": "false"
+        }
+      }
+    },
+    {
+      "Sid": "RdsEncrypt",
       "Effect": "Deny",
       "Action": "rds:CreateDBInstance",
       "Resource": "arn:aws:rds:*:*:db:*",
@@ -76,7 +87,7 @@
       }
     },
     {
-      "Sid": "EnforceAuroraEncryption",
+      "Sid": "AuroraEncrypt",
       "Effect": "Deny",
       "Action": "rds:CreateDBCluster",
       "Resource": "*",
@@ -89,6 +100,32 @@
         }
       }
     },
+    {
+      "Action": ["ssm:CreateDocument", "ssm:UpdateDocument", "ssm:DeleteDocument"],
+      "Effect": "Deny",
+      "Resource": ["arn:aws:ssm:::document/SSM-SessionManagerRunShell"],
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
+            "arn:aws:iam::*:role/PBMMAccel-*"
+          ]
+        }
+      }
+    },
+    {
+      "Effect": "Deny",
+      "Action": ["kms:DeleteAlias", "kms:UpdateAlias", "kms:DisableKey", "kms:ImportKeyMaterial", "kms:PutKeyPolicy"],
+      "Resource": "arn:aws:kms:::alias/PBMMAccel*",
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
+            "arn:aws:iam::*:role/PBMMAccel-*"
+          ]
+        }
+      }
+    },
     {
       "Sid": "DenyRDGWRole",
       "Effect": "Deny",
@@ -104,7 +141,40 @@
       }
     },
     {
-      "Sid": "DenyGDSHFMAAChange",
+      "Sid": "DenyLog2",
+      "Effect": "Deny",
+      "Action": ["logs:AssociateKmsKey", "logs:DisassociateKmsKey", "logs:PutDestination", "logs:PutDestinationPolicy"],
+      "Resource": "arn:aws:logs:::log-group:*PBMMAccel*",
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
+            "arn:aws:iam::*:role/PBMMAccel-*"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "DenyPolicy",
+      "Effect": "Deny",
+      "Action": [
+        "iam:CreatePolicy",
+        "iam:DeletePolicy",
+        "iam:DeletePolicyVersion",
+        "iam:SetDefaultPolicyVersion",
+        "iam:CreatePolicyVersion"
+      ],
+      "Resource": "arn:aws:iam::*:policy/PBMMAccel-*",
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:aws:iam::*:role/PBMMAccel-*"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "DenySecurity",
       "Effect": "Deny",
       "Action": [
         "guardduty:AcceptInvitation",