forked from awslabs/landing-zone-accelerator-on-aws
-
Notifications
You must be signed in to change notification settings - Fork 0
/
organization-config.yaml
73 lines (72 loc) · 2.49 KB
/
organization-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# If using AWS Control Tower, ensure that all the specified Organizational Units (OU)
# have been created and enrolled as the accelerator will verify that the OU layout
# matches before continuing to execute the deployment pipeline.
enable: true
organizationalUnits:
- name: applications
- name: core
- name: galileo
- name: pic-sure
- name: Security
- name: Infrastructure
ignore: true
# quarantineNewAccounts:
# enable: true
# scpPolicyName: Quarantine
serviceControlPolicies:
- name: Enforce-IMDSv2
description: >
Enforce IMDSv2
policy: service-control-policies/enforce-imdsv2.json
type: customerManaged
deploymentTargets:
organizationalUnits:
- applications
- galileo
- pic-sure
- name: Deny Region Block
description: >
Deny Region Block except us-east-1 and us-east-2
policy: service-control-policies/deny-region-block.json
type: customerManaged
deploymentTargets:
organizationalUnits:
- galileo
- name: Deny Region Block Additional
description: >
Deny Region Block except us-east-1, us-east-2 and us-west-2
policy: service-control-policies/deny-region-block-add.json
type: customerManaged
deploymentTargets:
organizationalUnits:
- Infrastructure
- applications
accounts:
- lzdev-test-paul
- name: Block Root Access
description: >
Deny Root Access except for two roles for Root Access Management Service
policy: service-control-policies/block-root-access.json
type: customerManaged
deploymentTargets:
organizationalUnits:
- Root
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
taggingPolicies: []
# - name: TagPolicy
# description: Organization Tagging Policy
# policy: tagging-policies/org-tag-policy.json
# deploymentTargets:
# organizationalUnits:
# - Root
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
# backup policies contain a `delete_after_days` value of 1095 days, or 3 years. Before
# enabling this policy, ensure that `delete_after_days` meets your organization's records retention
# policies. Similarly, ensure that `move_to_cold_storage_after_days` meets business requirements.
backupPolicies: []
# - name: BackupPolicy
# description: Organization Backup Policy
# policy: backup-policies/backup-plan.json
# deploymentTargets:
# organizationalUnits:
# - Root