{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceOrgBoundaryForS3", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:PrincipalOrgID": "o-REPLACE-ME" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" }, "ArnNotLikeIfExists": { "aws:PrincipalArn": [ "arn:aws:iam::111122223333:role/TrustedVendorRole" ] } } }, { "Sid": "EnforceTLSForS3", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "EnforceOrgBoundaryForKMS", "Effect": "Deny", "Principal": "*", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyPair", "kms:ReEncryptFrom", "kms:ReEncryptTo" ], "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:PrincipalOrgID": "o-REPLACE-ME" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }, { "Sid": "EnforceOrgBoundaryForSecretsManager", "Effect": "Deny", "Principal": "*", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:PrincipalOrgID": "o-REPLACE-ME" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }, { "Sid": "EnforceOrgBoundaryForSQS", "Effect": "Deny", "Principal": "*", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:PurgeQueue" ], "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:PrincipalOrgID": "o-REPLACE-ME" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }, { "Sid": "ConfusedDeputyProtectionForSTS", "Effect": "Deny", "Principal": "*", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:SourceOrgID": "o-REPLACE-ME" }, "Null": { "aws:SourceAccount": "false" } } } ] }