Add SCP to deny user create

Author: snemetz

.pre-commit-config.yaml

@@ -37,3 +37,11 @@ repos:
   hooks:
     - id: shellcheck
     #- id: markdown-link-check
+# - repo: https://github.com/igorshubovych/markdownlint-cli
+#   rev: v0.23.2
+#   hooks:
+#     - id: markdownlint
+#       args: [
+#         "--config=.mdlrc"
+#       ]
+#default_stages: [commit, push]

.terraform-docs.yml

@@ -1,4 +1,11 @@
+
+# https://terraform-docs.io/user-guide/configuration/
+
 formatter: markdown
 #settings:
 #  anchor: false
 #  html: false
+
+#sort:
+#  enabled: true
+#  by: required

.tflint.hcl

@@ -1,4 +1,7 @@
 
+# https://github.com/terraform-linters/tflint
+# https://github.com/terraform-linters/tflint/tree/master/docs/user-guide
+
 # Run: tflint --init
 
 plugin "aws" {
@@ -7,15 +10,33 @@ plugin "aws" {
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
 rule "terraform_documented_outputs" {
   enabled = true
 }
 rule "terraform_documented_variables" {
   enabled = true
 }
+rule "terraform_required_providers" {
+  enabled = true
+}
+rule "terraform_required_version" {
+  enabled = true
+}
+#rule "terraform_standard_module_structure" {
+#  enabled = true
+#}
 rule "terraform_typed_variables" {
   enabled = true
 }
 rule "terraform_unused_declarations" {
   enabled = true
 }
+rule "terraform_unused_required_providers" {
+  enabled = true
+}

kms.tf

@@ -2,7 +2,7 @@
 # Manage KMS keys
 
 # CloudTrail
-#   regional replicas ??
+#   key in region where S3 bucket is. Can be cross account
 # EBS
 #   regional replicas
 # S3
@@ -32,7 +32,7 @@
 #}
 
 # CloudTrail KMS policy
-# Allow access to all accounts and regions
+# Allow access to all accounts and regions - Not needed for org controlled trail
 #{
 #    "Sid": "Allow CloudTrail to encrypt logs",
 #    "Effect": "Allow",

modules/scp/README.md

@@ -33,6 +33,7 @@ No modules.
 | [aws_organizations_policy.deny_ebs_default_encryption_disable](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_ecr_create_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_guardduty_modify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
+| [aws_organizations_policy.deny_iam_user_create](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_member_leaving](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_s3_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_s3_unsecure_requests](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |

modules/scp/REFERENCES.txt

@@ -5,7 +5,7 @@ https://asecure.cloud/l/scp/
 https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/
 https://globaldatanet.com/tech-blog/scp-best-practices
 https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf
-
+https://cloudsecdocs.com/aws/defensive/resources/scps/#sample-scps
 
 Update all SCP to exclude role "arn:aws:iam::*:role/OrganizationAccountAccessRole" from deny policies
 As a variable??

modules/scp/files/deny-ecr-except.json

@@ -0,0 +1,29 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenyECRCreateWrite",
+      "Effect": "Deny",
+      "Action": [
+        "ecr:BatchDeleteImage",
+        "ecr:CompleteLayerUpload",
+        "ecr:CreateRepository",
+        "ecr:DeleteRepository",
+        "ecr:DeleteRepositoryPolicy",
+        "ecr:GetRepositoryPolicy",
+        "ecr:InitiateLayerUpload",
+        "ecr:PutImage",
+        "ecr:SetRepositoryPolicy",
+        "ecr:UploadLayerPart"
+      ],
+      "Resource": [
+        "*"
+      ],
+      "Condition": {
+        "StringNotLike": {
+          "aws:PrincipalARN":"arn:aws:sts::*:assumed-role/OrganizationAccountAccessRole/*"
+        }
+      }
+    }
+  ]
+}

modules/scp/files/deny-iam-user-create.json

@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenyUserCreate",
+      "Effect": "Deny",
+      "Action": [
+        "iam:CreateUser"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}

modules/scp/main.tf

@@ -86,13 +86,20 @@ resource "aws_organizations_policy" "deny_guardduty_modify" {
 #resource "aws_organizations_policy" "deny_iam_password_policy_modify" {
 #  count = local.enable && var.enable_iam ? 1 : 0
 #  name = "deny_iam_password_policy_modify"
-#  description = "Prevent ECR from being created or written too"
+#  description = "Prevent IAM password policy from being modified"
 #  tags = var.tags
 #  type = "SERVICE_CONTROL_POLICY"
-#  content = file("${path.module}/files/deny-ecr-create-write.json")
+#  content = file("${path.module}/files/deny-iam-password-policy-modify.json")
 #}
-# TODO:
-#   deny user create
+resource "aws_organizations_policy" "deny_iam_user_create" {
+  count       = local.enable && var.enable_iam ? 1 : 0
+  name        = "deny_iam_user_create"
+  description = "Prevent Users from being created"
+  tags        = var.tags
+  type        = "SERVICE_CONTROL_POLICY"
+  content     = file("${path.module}/files/deny-iam-user-create.json")
+}
+
 ### -----------------------
 ### Organization
 ### -----------------------