-
Notifications
You must be signed in to change notification settings - Fork 1
/
data_perimeter.yaml
106 lines (96 loc) · 3.14 KB
/
data_perimeter.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
############################################################
# Use this file to declare your data perimeters definition.
# The baseline section is applied to all AWS accounts.
# You can have account specific configuration that expands the baseline.
# To have an account sepcific configuration, create a section
# with the account ID as key
############################################################
baseline:
network_perimeter_expected_public_cidr: [
]
network_perimeter_expected_vpc: [
]
network_perimeter_expected_vpc_endpoint: [
]
network_perimeter_human_role_arn: [
]
network_perimeter_trusted_account: [
]
network_perimeter_trusted_principal: [
]
identity_perimeter_trusted_account: [
]
identity_perimeter_trusted_principal: [
]
resource_perimeter_trusted_bucket_name: [
# List of AWS owned buckets. This list is provided for example and is not maintened in this repository.
# For a most updated list see: https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/vpc_endpoint_policies
'packages.[\w-]*.amazonaws.com',
'repo.[\w-]*.amazonaws.com',
'amazonlinux.[\w-]*.amazonaws.com',
'amazonlinux-2-repos-[\w-]*',
'al2023-[\w-]*',
'repo.[\w-]*.emr.amazonaws.com',
'prod.[\w-]*.appinfo.src',
'aws-ssm-[\w-]*',
'aws-windows-downloads-[\w-]*',
'amazon-ssm-[\w-]*',
'amazon-ssm-packages-[\w-]*',
'[\w-]*-birdwatcher-prod',
'aws-ssm-distributor-file-[\w-]*',
'aws-ssm-document-attachments-[\w-]*',
'patch-baseline-snapshot-[\w-]*',
'aws-patchmanager-macos-[\w-]*',
'amazoncloudwatch-agent-[\w-]*',
'amazoncloudwatch-agent',
'aws-codedeploy-[\w-]*',
'ec2imagebuilder-toe-[\w-]*-prod',
'ec2imagebuilder-managed-resources-[\w-]*-prod/components',
'prod-[\w-]*-starport-layer-bucket',
'aws-mgn-clients-[\w-]*',
'aws-mgn-clients-hashes-[\w-]*',
'aws-mgn-internal-[\w-]*',
'aws-mgn-internal-hashes-[\w-]*',
'aws-application-migration-service-[\w-]*',
'aws-application-migration-service-hashes-[\w-]*',
'aws-drs-clients-[\w-]*',
'aws-drs-clients-hashes-[\w-]*',
'aws-drs-internal-[\w-]*',
'aws-drs-internal-hashes-[\w-]*',
'aws-elastic-disaster-recovery-[\w-]*',
'aws-elastic-disaster-recovery-hashes-[\w-]*',
]
org_unit_boundary:
athena_sql_limit: 250
# Example configuration that applies only to AWS account 111111111111
111111111111:
network_perimeter_expected_public_cidr: [
1.1.1.1/32
]
network_perimeter_expected_vpc: [
vpc-xxxxxxxxxx
]
network_perimeter_expected_vpc_endpoint: [
vpce-xxxxxxxxx
]
network_perimeter_human_role_arn: [
role/CloudOps
]
network_perimeter_trusted_principal: [
role/trusted_role_network_perimeter
]
identity_perimeter_trusted_account: [
]
identity_perimeter_trusted_principal: [
]
resource_perimeter_trusted_bucket_name: [
trusted-s3-bucket-111111111111
]
athena_sql_limit: 250
"AWS::S3::Bucket":
"my-bucket-11111111":
network_perimeter_expected_vpc_endpoint: [
vpce-yyyyyyyyy
]