NTC Guardrail Templates
Descriptionβ
NTC Guardrail Templates provide a set of pre-configured Service Control Policies (SCPs) that can be easily customized and applied via NTC Organizations. These templates serve as guardrails to enforce security, compliance, and operational best practices across your AWS multi-account environment. By automating the deployment of SCPs, this building block ensures consistent governance while allowing you to tailor policies to your organizationβs specific needs.
With NTC Guardrail Templates, you can confidently manage permissions and restrict unwanted actions across accounts.
Usageβ
| Latest Release | 1.0.3 |
|---|
- Service Control Policies (SCPs)
# --------------------------------------------------------------------------------------------------
# Β¦ NTC GUARDRAIL TEMPLATES
# --------------------------------------------------------------------------------------------------
module "ntc_guardrail_templates" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-guardrail-templates?ref=X.X.X"
service_control_policy_templates = [
{
policy_name = "scp_root_ou"
target_ou_paths = ["/root"]
template_names = ["deny_leaving_organizations", "deny_actions_as_root"]
},
{
policy_name = "scp_suspended_ou"
target_ou_paths = ["/root/suspended", "/root/decommission"]
template_names = ["deny_all"]
exclude_principal_arns = ["arn:aws:iam::*:role/OrganizationAccountAccessRole"]
},
{
policy_name = "scp_workloads_ou"
target_ou_paths = ["/root/workloads"]
template_names = ["deny_outside_allowed_regions"]
allowed_regions = ["eu-central-1", "eu-central-2"]
exclude_principal_arns = ["arn:aws:iam::*:role/OrganizationAccountAccessRole"]
}
]
}
Requirementsβ
The following requirements are needed by this module:
-
terraform (>= 1.3.0)
-
aws (>= 4.0)
Providersβ
The following providers are used by this module:
- aws (>= 4.0)
Modulesβ
No modules.
Resourcesβ
The following resources are used by this module:
- aws_iam_policy_document.ntc_scp (data source)
- aws_partition.current (data source)
Required Inputsβ
The following input variables are required:
service_control_policy_templatesβ
Description: List of templates which should be used to generate Service Control Policies (SCP).
Type:
list(object({
policy_name = string
template_names = list(string)
target_ou_paths = optional(list(string), [])
target_account_ids = optional(list(string), [])
exclude_principal_arns = optional(list(string), ["arn:aws:iam::*:role/OrganizationAccountAccessRole"])
iam_arns_to_protect = optional(list(string), [])
allowed_regions = optional(list(string), [])
whitelist_for_allowed_regions = optional(list(string), ["*"])
whitelist_for_other_regions = optional(list(string),
[
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"route53-recovery-cluster:*",
"route53-recovery-control-config:*",
"route53-recovery-readiness:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:ListMultiRegionAccessPoints",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
]
)
}))
Optional Inputsβ
No optional inputs.
Outputsβ
The following outputs are exported:
service_control_policiesβ
Description: Service Control Policies grouped by policy name.