# Sample privacy-related policies
**Survey**
We would love to hear from you. Please provide feedback on the AWS PRA by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_cMxJ0MG3jU91Fk2).
Many organizations that handle sensitive data take a preventative-forward approach, with layers of detective and reactive controls implemented throughout. This section provides examples of privacy-related policies for AWS Identity and Access Management (IAM), AWS Organizations, and AWS Key Management Service (AWS KMS). These policies can help your organization meet various use, disclosure limitation, and cross-border data transfer privacy goals by using a preventative approach. Many of these policies are referenced in previous sections in this guide.
**Topics**
+ [
# Require access from specific IP addresses
](require-access-from-specific-ip-addresses.md)
+ [
# Require organization membership to access VPC resources
](require-organization-membership.md)
+ [
# Restrict data transfers across AWS Regions
](restrict-data-transfers-across-regions.md)
+ [
# Grant access to specific Amazon DynamoDB attributes
](grant-access-dynamodb-attributes.md)
+ [
# Restrict changes to VPC configurations
](restrict-changes-vpc-configurations.md)
+ [
# Require attestation to use an AWS KMS key
](require-attestation-for-kms-key.md)
# Require access from specific IP addresses
**Survey**
We would love to hear from you. Please provide feedback on the AWS PRA by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_cMxJ0MG3jU91Fk2).
This policy allows the `john_stiles` user to assume IAM roles only if the call is coming from an IP address in the ranges `192.0.2.0/24` or `203.0.113.0/24`. This policy can help prevent unintended disclosure of personal data and unwanted cross-border data transfers. For example, if your organization has customer support staff that require access to personal data, you might want that support staff to access that data only from offices that are located in a subset of specific AWS Regions. Also, verify your organization's definition of PII because some policies might require `Condition` or `Principal` sections that restrict access to a specific user or IP address.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/john_stiles"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/john_stiles"
},
"Action": "sts:AssumeRole",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
}
}
]
}
```
# Require organization membership to access VPC resources
**Survey**
We would love to hear from you. Please provide feedback on the AWS PRA by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_cMxJ0MG3jU91Fk2).
This [VPC endpoint policy](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) allows only AWS Identity and Access Management (IAM) principals and resources from the `o-1abcde123` organization to access Amazon Personalize (Amazon S3) endpoints. This preventative control helps establish a zone of trust and define the personal data perimeter. For more information about how this policy can help protect privacy and personal data in your organization, see [AWS PrivateLink](personal-data-account.md#privatelink) in this guide.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyIntendedResourcesAndPrincipals",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-1abcde123",
"aws:ResourceOrgID": "o-1abcde123"
}
}
}
]
}
```
# Restrict data transfers across AWS Regions
**Survey**
We would love to hear from you. Please provide feedback on the AWS PRA by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_cMxJ0MG3jU91Fk2).
With the exception of two AWS Identity and Access Management (IAM) roles, this service control policy denies API calls to [regional AWS services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/regional-services.html) in AWS Regions other than `eu-west-1` and `eu-central-1`. This SCP can help prevent the creation of AWS storage and processing services in unapproved Regions. This can help prevent personal data from being handled by AWS services in those Regions altogether. This policy uses a `NotAction` parameter because it accounts for [global AWS services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html), such as IAM, and services that integrate with global services, such as AWS Key Management Service (AWS KMS) and Amazon CloudFront. In the parameter values, you can specify those global and other non-applicable services as exceptions. For more information about how this policy can help protect privacy and personal data in your organization, see [AWS Organizations](org-management-account.md#aws-organizations) in this guide.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideEU",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"route53-recovery-cluster:*",
"route53-recovery-control-config:*",
"route53-recovery-readiness:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:ListMultiRegionAccessPoints",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1"
]
},
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
"arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
]
}
}
}
]
}
```
# Grant access to specific Amazon DynamoDB attributes
**Survey**
We would love to hear from you. Please provide feedback on the AWS PRA by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_cMxJ0MG3jU91Fk2).
As your organization discusses strategies to physically and logically separate personal data, consider which AWS storage services support fine-grained access control policies in AWS Identity and Access Management (IAM). The following identity-based policy allows retrieval of only the `UserID`, `SignUpTime`, and `LastLoggedIn` attributes from an Amazon DynamoDB table named `Users`. For example, you might attach this policy to a customer support role instead of giving this role access to the full personal dataset. For more information about how this policy can help protect privacy and personal data in your organization, see [AWS services and features that help segment data](personal-data-account.md#segment-data) in this guide.
```
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource":[
"arn:aws:dynamodb:us-west-2:123456789012:dynamodb:table/Users"
],
"Condition":{
"ForAllValues:StringEquals":{
"dynamodb:Attributes":[
"UserID",
"SignUpTime",
"LastLoggedIn"
]
},
"StringEquals":{
"dynamodb:Select":[
"SPECIFIC_ATTRIBUTES"
]
}
}
}
]
}
```
# Restrict changes to VPC configurations
**Survey**
We would love to hear from you. Please provide feedback on the AWS PRA by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_cMxJ0MG3jU91Fk2).
After you have designed and deployed the AWS infrastructure that supports your cross-border data transfer requirements, which includes network data flows, you might want to prevent modifications. The following service control policy helps prevent VPC configuration drift or unintentional modification. It denies new internet gateway attachments, VPC peering connections, transit gateway attachments, and new VPN connections. For more information about how this policy can help protect privacy and personal data in your organization, see [AWS Transit Gateway](network-account.md#transit-gateway) in this guide.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:CreateVpcPeeringConnection",
"ec2:AcceptVpcPeeringConnection",
"ec2:CreateVpc",
"ec2:CreateSubnet",
"ec2:CreateRouteTable",
"ec2:CreateRoute",
"ec2:AssociateRouteTable",
"ec2:ModifyVpcAttribute",
"ec2:*TransitGateway",
"ec2:*TransitGateway*",
"globalaccelerator:Create*",
"globalaccelerator:Update*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
"arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
]
}
}
}
]
}
```
# Require attestation to use an AWS KMS key
**Survey**
We would love to hear from you. Please provide feedback on the AWS PRA by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_cMxJ0MG3jU91Fk2).
The following AWS Key Management Service (AWS KMS) key policy allows AWS Nitro Enclave instances to use a KMS key only if the enclave's attestation document in the request matches the measurements in the condition statement. This policy allows only trusted enclaves to decrypt the data. For more information about how this policy can help protect privacy and personal data in your organization, see [AWS Nitro Enclaves](personal-data-account.md#nitro-enclaves) in this guide. For a complete list of AWS KMS condition keys that can be used in key policies and in AWS Identity and Access Management (IAM) policies, see [Condition keys for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-nitro-enclaves).
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable enclave data processing",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/data-processing"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateRandom"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"kms:RecipientAttestation:ImageSha384": "EXAMPLE8abcdef7abcdef6abcdef5abcdef4abcdef3abcdef2abcdef1abcdef1abcdef0abcdef1abcdEXAMPLE",
"kms:RecipientAttestation:PCR0": "EXAMPLEbc2ecbb68ed99a13d7122abfc0666b926a79d5379bc58b9445c84217f59cfdd36c08b2c79552928702EXAMPLE",
"kms:RecipientAttestation:PCR1": "EXAMPLE050abf6b993c915505f3220e2d82b51aff830ad14cbecc2eec1bf0b4ae749d311c663f464cde9f718aEXAMPLE",
"kms:RecipientAttestation:PCR2": "EXAMPLEc300289e872e6ac4d19b0b5ac4a9b020c98295643ff3978610750ce6a86f7edff24e3c0a4a445f2ff8EXAMPLE",
"kms:RecipientAttestation:PCR3": "EXAMPLE11de9baee597508183477f097ae385d4a2c885aa655432365b53b812694e230bbe8e1bb1b8de748fe1EXAMPLE",
"kms:RecipientAttestation:PCR4": "EXAMPLE6b9b3d89a53b13f5dfd14a1049ec0b80a9ae4b159adde479e9f7f512f33e835a0b9023ca51ada02160EXAMPLE",
"kms:RecipientAttestation:PCR8": "EXAMPLE34a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaeEXAMPLE"
}
}
}
]
}
```