Merge pull request #11 from aws-samples/10-rds-scp-incompatible-w-aurora-cluster-provisioning

tdmarco · web-flow · commit 454611eb20ec · 2022-06-01T09:16:26.000-04:00
Updated RDS SCP to fix Aurora
diff --git a/rds/SCP/rds_encrypted.json b/rds/SCP/rds_encrypted.json
@@ -1,35 +1,38 @@
 {
     "Version": "2012-10-17",
     "Statement": [
-        {
-            "Sid": "RDS",
-            "Effect": "Deny",
-            "Action": [
-                "rds:CreateDBInstance"
-            ],
-            "Resource": [
-                "*"
-            ],
-            "Condition": {
-                "Bool": {
-                    "rds:StorageEncrypted": "false"
-                }
-            }
-        },
-        {
-            "Sid": "StatementForAurora",
-            "Effect": "Deny",
-            "Action": [
-                "rds:CreateDBCluster"
-            ],
-            "Resource": [
-                "*"
-            ],
-            "Condition": {
-                "Bool": {
-                    "rds:StorageEncrypted": "false"
-                }
-            }
+      {
+        "Sid": "StatementForNonAuroraRDS",
+        "Effect": "Deny",
+        "Action": [
+          "rds:CreateDBInstance"
+        ],
+        "Resource": [
+          "*"
+        ],
+        "Condition": {
+          "ForAnyValue:StringNotLike": {
+            "rds:DatabaseEngine": "aurora*"
+          },
+          "Bool": {
+            "rds:StorageEncrypted": "false"
+          }
         }
+      },
+      {
+        "Sid": "StatementForAurora",
+        "Effect": "Deny",
+        "Action": [
+          "rds:CreateDBCluster"
+        ],
+        "Resource": [
+          "*"
+        ],
+        "Condition": {
+          "Bool": {
+            "rds:StorageEncrypted": "false"
+          }
+        }
+      }
     ]
-}
+  }
