NTC Guardrail Templates
Description
NTC Guardrail Templates provide a set of best practice Service Control Policies (SCPs) and Resource Control Policies (RCP). These policies serve as guardrails to enforce security, compliance, and operational best practices across your AWS multi-account environment. By automating the deployment of SCPs and RCPs, this building block ensures consistent governance while allowing you to tailor policies to your organization’s specific needs.
NTC Guardrail Templates can be easily customized and then applied via NTC Organizations.
Usage
| Latest Release | 2.0.0 |
|---|
Requirements
The following requirements are needed by this module:
-
terraform (>= 1.5.0)
-
aws (>= 6.0)
Providers
The following providers are used by this module:
- aws (>= 6.0)
Modules
No modules.
Resources
The following resources are used by this module:
- aws_iam_policy_document.ntc_rcp (data source)
- aws_iam_policy_document.ntc_scp (data source)
- aws_partition.current (data source)
Required Inputs
No required inputs.
Optional Inputs
The following input variables are optional (have default values):
resource_control_policy_templates
Description: List of templates which should be used to generate Resource Control Policies (RCP).
Type:
list(object({
policy_name = string
policy_description = optional(string, "")
template_names = list(string)
target_ou_paths = optional(list(string), [])
target_account_ids = optional(list(string), [])
# template specific parameters
org_id = optional(string, "")
enforced_service_actions = optional(list(string), [
"s3:*",
"sqs:*",
"kms:*",
"secretsmanager:*",
"sts:*",
])
s3_tls_minimum_version = optional(string, "1.2")
exclude_principal_arns = optional(list(string), [])
exclude_resource_arns = optional(list(string), [])
}))
Default: []
service_control_policy_templates
Description: List of templates which should be used to generate Service Control Policies (SCP).
Type:
list(object({
policy_name = string
policy_description = optional(string, null)
template_names = list(string)
target_ou_paths = optional(list(string), [])
target_account_ids = optional(list(string), [])
# template specific parameters
exclude_principal_arns = optional(list(string), ["arn:aws:iam::*:role/OrganizationAccountAccessRole"])
exclude_bedrock_inference_profile_arns = optional(list(string), [])
iam_arns_to_protect = optional(list(string), [])
allowed_regions = optional(list(string), [])
whitelist_for_allowed_regions = optional(list(string), ["*"])
whitelist_for_other_regions = optional(list(string),
[
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"route53-recovery-cluster:*",
"route53-recovery-control-config:*",
"route53-recovery-readiness:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:ListMultiRegionAccessPoints",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
]
)
}))
Default: []
Outputs
The following outputs are exported:
resource_control_policies
Description: Resource Control Policies (RCPs) grouped by policy name.
service_control_policies
Description: Service Control Policies (SCPs) grouped by policy name.