-[deny_region_interaction.tf](./modules/account/deny_region_interaction.tf) - Denies the ability to enable or disable a region.

- By default, when new regions are enabled by AWS, you now have to enable that region before IAM will propagate.

- This policy can be used to lock down the ability to launch resources in unapproved regions or deny a malicious actor from disabling a region in your account.

- By default, when new regions are enabled by AWS, you now have to enable that region before IAM will propagate.

- This policy can be used to lock down the ability to launch resources in unapproved regions or deny a malicious actor from disabling a region in your account.

-*Important*: When a region is disabled, and there are IAM resources in that region, they will be removed. Please view the documentation[here](https://aws.amazon.com/blogs/security/setting-permissions-to-enable-accounts-for-upcoming-aws-regions/) for more information.

- Please review the documentation[here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html) on how to selectively opt in to data sharing.

- Prior to applying, ensure that the AI services opt-out policy type is enabled for the organization.

-[require_kms_cmks.tf](./modules/comprehend/require_kms_cmks.tf) - Requires all applicable Amazon Comprehend calls to pass in a Amazon Key Management Service (KMS) customer managed key (CMK). Per the[documentation](https://docs.aws.amazon.com/comprehend/latest/dg/kms-in-comprehend.html),_Amazon Comprehend can encrypt custom models using either its own KMS Key or a provided customer managed key (CMK)._ You can find a comparison of the two keys[here](https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html), and CMKs provide greater control over your encyption keys.

-[require_private_vpcs.tf](./modules/comprehend/require_private_vpcs.tf) - Amazon Comprehend supports running the job containers in a customer managed VPC. A VPC can be configured to not be exposed to internet, allows users to monitor networking traffic using flow logs, and can route traffic over private networks with VPC endpoints.

- When Amazon Comprehend jobs are launched in a VPC, Amazon Comprehend creates Elastic Network Interfaces (ENIs) and attached them to the job containers. The ENIs provide network connectivity within the VPC.

-[deny_interruption_actions.tf](./modules/awsconfig/deny_interruption_actions.tf) - Denies the ability to delete AWS Config rules and stop recording.

- AWS Config is a service to monitor your resources for point-in-time configuration updates and compliance monitoring.

-[deny_interruption_actions.tf](./modules/awsconfig/deny_interruption_actions.tf) - Denies the ability to delete AWS Config rules and stop recording.

- AWS Config is a service to monitor your resources for point-in-time configuration updates and compliance monitoring.

- Malicious actors may try to stop AWS Config recording and perform destructive behavior so it is important to deny AWS Config deletions.

-[deny_cloudtrail_actions.tf](./modules/cloudtrail/deny_cloudtrail_actions.tf) - Denies the ability to delete or manipulate CloudTrail trails.

- CloudTrail monitors all API calls against (supported) resources.

-[deny_cloudtrail_actions.tf](./modules/cloudtrail/deny_cloudtrail_actions.tf) - Denies the ability to delete or manipulate CloudTrail trails.

- CloudTrail monitors all API calls against (supported) resources.

- Please note that not all AWS services and resources are supported by CloudTrail.

- Because CloudTrail is a record of all API calls made, it is commonly targeted to cover malicious actors' tracks.

-[require_mfa_actions.tf](./modules/ec2/require_mfa_actions.tf) - Requires MFA when deleting or stopping EC2 instances.

- A best practice is to protect your resources from accidental deletions and requiring MFA is one step in that direction.

- A best practice is to protect your resources from accidental deletions and requiring MFA is one step in that direction.

-[restrict_ami_owner.tf](./modules/ec2/restrict_ami_owner.tf) - Locks down the AMIs that can be launched to only the AMI creation account.

- A common practice is to configure an AWS account for centralized AMI creations that you then share to the receiving accounts. Similar to a hub-and-spoke model.

-[require_ami_tag.tf](./modules/ec2/require_ami_tag.tf) - Requires a resource tag key/value pair to launch EC2s.

-[deny_guardduty_disassociate.tf](./modules/guardduty/deny_guardduty_disassociate.tf) - Denies the ability to remove the assigned account from the GuardDuty master.

- Once GuardDuty is in place for an account, it should not be removed while in use.

-[deny_guardduty_disassociate.tf](./modules/guardduty/deny_guardduty_disassociate.tf) - Denies the ability to remove the assigned account from the GuardDuty master.

- Once GuardDuty is in place for an account, it should not be removed while in use.

-[deny_actions_no_mfa.tf](./modules/iam/deny_actions_no_mfa.tf) - Requires MFA to be set before any action can be performed.

-[deny_actions_no_mfa.tf](./modules/iam/deny_actions_no_mfa.tf) - Requires MFA to be set before any action can be performed.

- The user will only be able to set a MFA device and then must log out / in to have normal access.

- This is a blanket guardrail that should be used cautiously. Keep in mind that unless the user authenticated with MFA via the CLI, access keys will not be valid.

- This is a blanket guardrail that should be used cautiously. Keep in mind that unless the user authenticated with MFA via the CLI, access keys will not be valid.

-[deny_flow_logs_delete.tf](./modules/vpc/deny_flow_logs_delete.tf) - Denies the ability to delete VPC Flow Logs.

- VPC Flow Logs are your network monitoring logs and provide visibility into anomalous traffic during a security event.

- VPC Flow Logs are your network monitoring logs and provide visibility into anomalous traffic during a security event.