From 460aa7dcb54717b15c699487bbee98838a3f2f7f Mon Sep 17 00:00:00 2001
From: Chris Brown <1731074+ccbrown@users.noreply.github.com>
Date: Sun, 20 Apr 2025 02:38:04 -0400
Subject: [PATCH 1/2] add scp management ui

---
 frontend/scripts/gather_aws_service_info.py   |   40 +
 .../(public-area)/articles/[slug]/page.tsx    |    7 +-
 .../teams/[teamId]/MapOverlays.tsx            |    4 +-
 .../app/(user-area)/teams/[teamId]/Rules.tsx  |  271 +++
 .../app/(user-area)/teams/[teamId]/page.tsx   |   21 +-
 frontend/src/app/globals.css                  |    3 +
 frontend/src/aws.ts                           | 1696 +++++++++++++++++
 frontend/src/components/ChipEditor.tsx        |  146 ++
 frontend/src/components/SuccessMessage.tsx    |    2 +-
 frontend/src/components/index.tsx             |    1 +
 frontend/src/hooks.ts                         |   11 +
 frontend/src/models/aws.ts                    |   34 +-
 frontend/src/rules.ts                         |  174 ++
 13 files changed, 2403 insertions(+), 7 deletions(-)
 create mode 100755 frontend/scripts/gather_aws_service_info.py
 create mode 100644 frontend/src/app/(user-area)/teams/[teamId]/Rules.tsx
 create mode 100644 frontend/src/aws.ts
 create mode 100644 frontend/src/components/ChipEditor.tsx
 create mode 100644 frontend/src/rules.ts

diff --git a/frontend/scripts/gather_aws_service_info.py b/frontend/scripts/gather_aws_service_info.py
new file mode 100755
index 00000000..22adde58
--- /dev/null
+++ b/frontend/scripts/gather_aws_service_info.py
@@ -0,0 +1,40 @@
+#!/usr/bin/env python3
+import boto3
+import json
+import time
+
+orgs = boto3.client('organizations')
+iam = boto3.client('iam')
+
+roots = orgs.list_roots()
+root = roots['Roots'][0]
+entity_path = root['Arn'].split('/', 1)[1]
+
+job = iam.generate_organizations_access_report(EntityPath=entity_path)
+job_id = job['JobId']
+
+params = {
+    'JobId': job_id,
+}
+
+services = []
+
+while True:
+    report = iam.get_organizations_access_report(**params)
+    if report['JobStatus'] == 'IN_PROGRESS':
+        time.sleep(1)
+    elif report['JobStatus'] == 'COMPLETED':
+        for service in report['AccessDetails']:
+            services.append({
+                'name': service['ServiceName'],
+                'namespace': service['ServiceNamespace'],
+            })
+
+        if report['IsTruncated']:
+            params['Marker'] = report['Marker']
+        else:
+            break
+    else:
+        raise Exception(f"Unexpected job status: {report['JobStatus']}")
+
+print(json.dumps(services, indent=2))
diff --git a/frontend/src/app/(public-area)/articles/[slug]/page.tsx b/frontend/src/app/(public-area)/articles/[slug]/page.tsx
index fc1fa1c8..47ac85d9 100644
--- a/frontend/src/app/(public-area)/articles/[slug]/page.tsx
+++ b/frontend/src/app/(public-area)/articles/[slug]/page.tsx
@@ -55,7 +55,12 @@ export default async function Page({ params }: Props) {
                     <ul className="list-disc mt-4 pl-6">
                         {article.relatedLinks.map((item, index) => (
                             <li key={index}>
-                                <Link href={item.url} target="_blank" rel="noopener noreferrer" className="external-link">
+                                <Link
+                                    href={item.url}
+                                    target="_blank"
+                                    rel="noopener noreferrer"
+                                    className="external-link"
+                                >
                                     {item.title}
                                 </Link>
                             </li>
diff --git a/frontend/src/app/(user-area)/teams/[teamId]/MapOverlays.tsx b/frontend/src/app/(user-area)/teams/[teamId]/MapOverlays.tsx
index 0917459b..6f7a0746 100644
--- a/frontend/src/app/(user-area)/teams/[teamId]/MapOverlays.tsx
+++ b/frontend/src/app/(user-area)/teams/[teamId]/MapOverlays.tsx
@@ -371,9 +371,7 @@ export const MapOverlays = (props: Props) => {
                             e.originalEvent.preventDefault();
                             e.originalEvent.stopPropagation();
                         }}
-                        className={
-                            'hover:z-200 transition-all duration-200 ease-in-out baz cursor-pointer' + extraClasses
-                        }
+                        className={'hover:z-200 transition-all duration-200 ease-in-out cursor-pointer' + extraClasses}
                     >
                         <MarkerContent
                             data={marker}
diff --git a/frontend/src/app/(user-area)/teams/[teamId]/Rules.tsx b/frontend/src/app/(user-area)/teams/[teamId]/Rules.tsx
new file mode 100644
index 00000000..578b939d
--- /dev/null
+++ b/frontend/src/app/(user-area)/teams/[teamId]/Rules.tsx
@@ -0,0 +1,271 @@
+import { clsx } from 'clsx';
+import { useEffect, useMemo, useState } from 'react';
+import { ChevronRightIcon } from '@heroicons/react/24/outline';
+import Link from 'next/link';
+import { Transition } from '@headlessui/react';
+
+import { awsServices } from '@/aws';
+import { Button, ChipEditor, Dialog, ErrorMessage } from '@/components';
+import { AWSAccount } from '@/generated/api';
+import { useAwsRegions, useCurrentTeamId, useManagedAwsScp, useTeamAwsAccountsMap } from '@/hooks';
+import { RuleSet } from '@/rules';
+import { useDispatch } from '@/store';
+
+interface PolicyPreviewProps {
+    account: AWSAccount;
+    ruleSet: RuleSet;
+    onSuccess: () => void;
+}
+
+const PolicyPreview = ({ account, onSuccess, ruleSet }: PolicyPreviewProps) => {
+    const teamId = useCurrentTeamId();
+    const [isBusy, setIsBusy] = useState(false);
+    const [errorMessage, setErrorMessage] = useState('');
+    const dispatch = useDispatch();
+
+    const prettyContent = useMemo(() => JSON.stringify(ruleSet.scp(), null, 2), [ruleSet]);
+
+    const apply = async () => {
+        if (isBusy) {
+            return;
+        }
+        setIsBusy(true);
+
+        try {
+            await dispatch.aws.putManagedScpByTeamAndAccountId({
+                teamId,
+                accountId: account.id,
+                input: {
+                    content: JSON.stringify(ruleSet.scp()),
+                },
+            });
+            onSuccess();
+        } catch (err) {
+            setErrorMessage(err instanceof Error ? err.message : 'An unknown error occurred.');
+        } finally {
+            setIsBusy(false);
+        }
+    };
+
+    return (
+        <div className="flex flex-col gap-4">
+            {errorMessage && <ErrorMessage>{errorMessage}</ErrorMessage>}
+            <p>
+                ⚠️ If you proceed, the following service control policy will be applied to{' '}
+                <span className="font-semibold">{account.name ? `${account.name} (${account.id})` : account.id}</span>.
+                Please exercise caution as it is possible to lock yourself out or disrupt services running in the
+                account.
+            </p>
+            <pre className="p-2 border-1 border-english-violet/60 rounded-lg text-sm max-h-[50vh] overflow-auto">
+                <code>{prettyContent}</code>
+            </pre>
+            <Button disabled={isBusy} label="Apply Policy" onClick={() => apply()} />
+        </div>
+    );
+};
+
+interface AccountPageProps {
+    account: AWSAccount;
+    onBack: () => void;
+}
+
+const AccountPage = ({ account, onBack }: AccountPageProps) => {
+    const [isPreviewing, setIsPreviewing] = useState(false);
+    const awsRegions = useAwsRegions();
+    const teamId = useCurrentTeamId();
+    const scp = useManagedAwsScp(teamId, account.id);
+    const scpContent = scp && scp.content;
+    const scpRuleSet = useMemo(
+        () => (scpContent === undefined ? undefined : scpContent ? RuleSet.fromScpContent(scpContent) : new RuleSet()),
+        [scpContent],
+    );
+
+    const [ruleSet, setRuleSet] = useState(new RuleSet());
+    const updateRuleSet = (update: (prev: RuleSet) => void) => {
+        const newRuleSet = ruleSet.clone();
+        update(newRuleSet);
+        setRuleSet(newRuleSet);
+    };
+
+    const hasChanges = useMemo(() => scpRuleSet && !ruleSet.equal(scpRuleSet), [ruleSet, scpRuleSet]);
+
+    useEffect(() => {
+        if (scpRuleSet) {
+            setRuleSet(scpRuleSet.clone());
+        }
+    }, [scpRuleSet]);
+
+    return (
+        <div className="flex flex-col gap-4">
+            {scp === undefined ? (
+                <p>Loading...</p>
+            ) : (
+                <>
+                    <p className="font-semibold">{account.name ? `${account.name} (${account.id})` : account.id}</p>
+
+                    <div className="border border-english-violet/60 bg-white/20 text-sm rounded-lg p-2 flex flex-col gap-2">
+                        <div>
+                            <span className="label">Region allowlist: </span>
+                            <ChipEditor
+                                options={awsRegions.map((region) => ({ label: region.id, value: region.id }))}
+                                before={scpRuleSet?.regionAllowlist?.regions || new Set()}
+                                after={ruleSet.regionAllowlist?.regions || new Set()}
+                                onAdd={(region) => {
+                                    updateRuleSet((ruleSet) => ruleSet.addRegionToAllowlist(region));
+                                }}
+                                onRemove={(region) => {
+                                    updateRuleSet((ruleSet) => ruleSet.removeRegionFromAllowlist(region));
+                                }}
+                            />
+                        </div>
+                        <div className="text-xs">
+                            {ruleSet.regionAllowlist ? (
+                                ruleSet.hasRegionInAllowlist('us-east-1') ? (
+                                    'Regions not listed above will be blocked.'
+                                ) : (
+                                    <span>
+                                        Regions not listed above will be blocked, with exceptions for IAM,
+                                        Organizations, and Account Management as{' '}
+                                        <Link
+                                            href="https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html"
+                                            className="external-link"
+                                            rel="noopener noreferrer"
+                                            target="_blank"
+                                        >
+                                            these are global services depending on us-east-1
+                                        </Link>
+                                        .
+                                    </span>
+                                )
+                            ) : (
+                                'All regions will be allowed.'
+                            )}
+                        </div>
+                    </div>
+
+                    <div className="border border-english-violet/60 bg-white/20 text-sm rounded-lg p-2 flex flex-col gap-2">
+                        <div>
+                            <span className="label">Service allowlist: </span>
+                            <ChipEditor
+                                options={awsServices.map((service) => ({
+                                    label: service.namespace,
+                                    value: service.namespace,
+                                }))}
+                                before={scpRuleSet?.serviceAllowlist?.services || new Set()}
+                                after={ruleSet.serviceAllowlist?.services || new Set()}
+                                onAdd={(service) => {
+                                    updateRuleSet((ruleSet) => ruleSet.addServiceToAllowlist(service));
+                                }}
+                                onRemove={(service) => {
+                                    updateRuleSet((ruleSet) => ruleSet.removeServiceFromAllowlist(service));
+                                }}
+                            />
+                        </div>
+                        <div className="text-xs">
+                            {ruleSet.serviceAllowlist
+                                ? 'Services not listed above will be blocked.'
+                                : 'All services will be allowed.'}
+                        </div>
+                    </div>
+
+                    <Dialog isOpen={isPreviewing} onClose={() => setIsPreviewing(false)} title="Policy Preview">
+                        <PolicyPreview account={account} ruleSet={ruleSet} onSuccess={() => setIsPreviewing(false)} />
+                    </Dialog>
+                    <Button disabled={!hasChanges} label="Preview Policy" onClick={() => setIsPreviewing(true)} />
+                </>
+            )}
+            <div className="flex justify-center">
+                <span onClick={onBack} className="cursor-pointer text-sm link">
+                    Back to Accounts
+                </span>
+            </div>
+        </div>
+    );
+};
+
+export const Rules = () => {
+    const teamId = useCurrentTeamId();
+    const teamAwsAccountsMap = useTeamAwsAccountsMap(teamId);
+    const [accountId, setAccountId] = useState<string | null>(null);
+    const [transitionDirection, setTransitionDirection] = useState<'forward' | 'backward'>('forward');
+
+    const account = accountId && teamAwsAccountsMap?.get(accountId);
+
+    const sortedAccounts =
+        teamAwsAccountsMap &&
+        Array.from(teamAwsAccountsMap.values()).sort((a, b) => {
+            const aLabel = a.name?.toLowerCase() || a.id;
+            const bLabel = b.name?.toLowerCase() || b.id;
+            return aLabel.localeCompare(bLabel);
+        });
+
+    const pageClassName = clsx([
+        'flex flex-col gap-2',
+        'data-[closed]:opacity-0 data-[closed]:absolute',
+        'data-[enter]:duration-100 data-[leave]:duration-300',
+        transitionDirection === 'forward' &&
+            'data-[enter]:data-[closed]:translate-x-full data-[leave]:data-[closed]:-translate-x-full',
+        transitionDirection === 'backward' &&
+            'data-[enter]:data-[closed]:-translate-x-full data-[leave]:data-[closed]:translate-x-full',
+    ]);
+
+    return (
+        <div className="relative overflow-hidden">
+            <Transition show={!account}>
+                <div className={pageClassName}>
+                    <p>
+                        You can use Cloud Snitch to enforce rules for the following AWS accounts. Cloud Snitch does this
+                        by attaching{' '}
+                        <Link
+                            href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html"
+                            className="external-link"
+                            rel="noopener noreferrer"
+                            target="_blank"
+                        >
+                            Service Control Policies
+                        </Link>{' '}
+                        to accounts.
+                    </p>
+                    <div className="flex flex-col max-h-[50vh] overflow-auto">
+                        {sortedAccounts &&
+                            sortedAccounts.map((account) => (
+                                <div
+                                    key={account.id}
+                                    className="flex items-center gap-2 hover:bg-white/80 rounded-md cursor-pointer p-2"
+                                    onClick={() => {
+                                        setTransitionDirection('forward');
+                                        setAccountId(account.id);
+                                    }}
+                                >
+                                    {account.name ? (
+                                        <div className="flex flex-col">
+                                            <span className="font-semibold">{account.name}</span>
+                                            <span className="text-xs">{account.id}</span>
+                                        </div>
+                                    ) : (
+                                        <span className="font-semibold">{account.id}</span>
+                                    )}
+                                    <div className="grow flex justify-end">
+                                        <ChevronRightIcon className="h-4 w-4 text-gray-400" />
+                                    </div>
+                                </div>
+                            ))}
+                    </div>
+                </div>
+            </Transition>
+            <Transition show={!!account}>
+                <div className={pageClassName}>
+                    {account && (
+                        <AccountPage
+                            account={account}
+                            onBack={() => {
+                                setTransitionDirection('backward');
+                                setAccountId(null);
+                            }}
+                        />
+                    )}
+                </div>
+            </Transition>
+        </div>
+    );
+};
diff --git a/frontend/src/app/(user-area)/teams/[teamId]/page.tsx b/frontend/src/app/(user-area)/teams/[teamId]/page.tsx
index 6e2a9599..fb2ca318 100644
--- a/frontend/src/app/(user-area)/teams/[teamId]/page.tsx
+++ b/frontend/src/app/(user-area)/teams/[teamId]/page.tsx
@@ -1,11 +1,12 @@
 'use client';
 
+import { ShieldCheckIcon } from '@heroicons/react/24/outline';
 import Link from 'next/link';
 import React, { useCallback, useEffect, useMemo, useState } from 'react';
 import { Map as WorldMap, MapRef } from 'react-map-gl/maplibre';
 import 'maplibre-gl/dist/maplibre-gl.css';
 
-import { DurationDropdown, FilterDropdown } from '@/components';
+import { Dialog, DurationDropdown, FilterDropdown } from '@/components';
 import {
     useAwsRegionsMap,
     useCombinedReport,
@@ -23,6 +24,7 @@ import { Header } from './Header';
 import { ContextPanel } from './ContextPanel';
 import { maxZoomForClusterRect, minZoomForClusterRect, MapOverlays } from './MapOverlays';
 import { NavigationPanel } from './NavigationPanel';
+import { Rules } from './Rules';
 import { isEqualSelection, useSelection, Selection } from './selection';
 
 interface IdAndName {
@@ -42,6 +44,8 @@ const Page = () => {
         return memberships && memberships[teamId]?.role === TeamMembershipRole.Administrator;
     });
 
+    const [isRulesOpen, setIsRulesOpen] = useState(false);
+
     const [map, setMap] = useState<MapRef | null>(null);
     const [isMapReady, setIsMapReady] = useState(false);
 
@@ -256,6 +260,9 @@ const Page = () => {
         teamAwsIntegrationsIfAdminAndNoReports && teamAwsIntegrationsIfAdminAndNoReports.length === 0;
     const needsSetup = needsSubscriptionSetup || needsAwsIntegrationSetup;
 
+    const canManageScps =
+        teamAwsAccountsMap && [...teamAwsAccountsMap.values()].some((account) => account.canManageScps);
+
     return (
         <div className="w-full h-screen relative">
             <div className="absolute top-0 left-0 w-full h-full isolate">
@@ -311,6 +318,18 @@ const Page = () => {
                             availableEndTime={maxUnfilteredReportEndTime}
                             onChange={setDurationSeconds}
                         />
+                        <Dialog isOpen={isRulesOpen} onClose={() => setIsRulesOpen(false)} title="Rules">
+                            <Rules />
+                        </Dialog>
+                        {canManageScps && (
+                            <div
+                                className="inline-flex items-center gap-2 rounded-md bg-mint hover:bg-emerald transition-all duration-200 ease-in-out ml-8 py-1.5 px-3 text-sm/6 font-semibold text-snow cursor-pointer"
+                                onClick={() => setIsRulesOpen(true)}
+                            >
+                                <ShieldCheckIcon className="h-[1.2rem]" />
+                                Rules
+                            </div>
+                        )}
                     </div>
                 </Header>
                 <main className="w-full grow p-4 flex flex-row min-h-0 pointer-events-none relative">
diff --git a/frontend/src/app/globals.css b/frontend/src/app/globals.css
index b152623f..5e2c3b9c 100644
--- a/frontend/src/app/globals.css
+++ b/frontend/src/app/globals.css
@@ -23,6 +23,9 @@
 
     --color-snow: #f9f3f5;
     --color-platinum: #dfdfdf;
+
+    --color-emerald: #86cb92;
+    --color-mint: #63a375;
 }
 
 body {
diff --git a/frontend/src/aws.ts b/frontend/src/aws.ts
new file mode 100644
index 00000000..462ebd60
--- /dev/null
+++ b/frontend/src/aws.ts
@@ -0,0 +1,1696 @@
+export interface AwsPolicy {
+    Version: string;
+    Statement: AwsPolicyStatement[];
+}
+
+export interface AwsPolicyStatement {
+    Sid?: string;
+    Effect: 'Allow' | 'Deny';
+    Action?: string | string[];
+    NotAction?: string | string[];
+    Resource?: string | string[];
+    NotResource?: string | string[];
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    Condition?: Record<any, any>;
+}
+
+// Generated by ../scripts/gather_aws_service_info.py
+export const awsServices = [
+    {
+        name: 'AWS App2Container',
+        namespace: 'a2c',
+    },
+    {
+        name: 'Alexa for Business',
+        namespace: 'a4b',
+    },
+    {
+        name: 'AWS IAM Access Analyzer',
+        namespace: 'access-analyzer',
+    },
+    {
+        name: 'AWS Account Management',
+        namespace: 'account',
+    },
+    {
+        name: 'AWS Certificate Manager',
+        namespace: 'acm',
+    },
+    {
+        name: 'AWS Private Certificate Authority',
+        namespace: 'acm-pca',
+    },
+    {
+        name: 'AWS Activate',
+        namespace: 'activate',
+    },
+    {
+        name: 'Amazon AI Operations',
+        namespace: 'aiops',
+    },
+    {
+        name: 'Amazon Managed Workflows for Apache Airflow',
+        namespace: 'airflow',
+    },
+    {
+        name: 'AWS Amplify',
+        namespace: 'amplify',
+    },
+    {
+        name: 'AWS Amplify Admin',
+        namespace: 'amplifybackend',
+    },
+    {
+        name: 'AWS Amplify UI Builder',
+        namespace: 'amplifyuibuilder',
+    },
+    {
+        name: 'Amazon OpenSearch Serverless',
+        namespace: 'aoss',
+    },
+    {
+        name: 'Manage - Amazon API Gateway',
+        namespace: 'apigateway',
+    },
+    {
+        name: 'Amazon AppIntegrations',
+        namespace: 'app-integrations',
+    },
+    {
+        name: 'AWS AppConfig',
+        namespace: 'appconfig',
+    },
+    {
+        name: 'AWS AppFabric',
+        namespace: 'appfabric',
+    },
+    {
+        name: 'Amazon AppFlow',
+        namespace: 'appflow',
+    },
+    {
+        name: 'AWS Application Auto Scaling',
+        namespace: 'application-autoscaling',
+    },
+    {
+        name: 'AWS Application Cost Profiler Service',
+        namespace: 'application-cost-profiler',
+    },
+    {
+        name: 'Amazon CloudWatch Application Signals',
+        namespace: 'application-signals',
+    },
+    {
+        name: 'AWS Application Transformation Service',
+        namespace: 'application-transformation',
+    },
+    {
+        name: 'Amazon CloudWatch Application Insights',
+        namespace: 'applicationinsights',
+    },
+    {
+        name: 'AWS App Mesh',
+        namespace: 'appmesh',
+    },
+    {
+        name: 'AWS App Mesh Preview',
+        namespace: 'appmesh-preview',
+    },
+    {
+        name: 'AWS App Runner',
+        namespace: 'apprunner',
+    },
+    {
+        name: 'Amazon AppStream 2.0',
+        namespace: 'appstream',
+    },
+    {
+        name: 'AWS App Studio',
+        namespace: 'appstudio',
+    },
+    {
+        name: 'AWS AppSync',
+        namespace: 'appsync',
+    },
+    {
+        name: 'AWS Mainframe Modernization Application Testing',
+        namespace: 'apptest',
+    },
+    {
+        name: 'Amazon Managed Service for Prometheus',
+        namespace: 'aps',
+    },
+    {
+        name: 'Amazon Application Recovery Controller - Zonal Shift',
+        namespace: 'arc-zonal-shift',
+    },
+    {
+        name: 'Application Discovery Arsenal',
+        namespace: 'arsenal',
+    },
+    {
+        name: 'AWS Artifact',
+        namespace: 'artifact',
+    },
+    {
+        name: 'Amazon Athena',
+        namespace: 'athena',
+    },
+    {
+        name: 'AWS Audit Manager',
+        namespace: 'auditmanager',
+    },
+    {
+        name: 'Amazon EC2 Auto Scaling',
+        namespace: 'autoscaling',
+    },
+    {
+        name: 'AWS Auto Scaling',
+        namespace: 'autoscaling-plans',
+    },
+    {
+        name: 'AWS Marketplace',
+        namespace: 'aws-marketplace',
+    },
+    {
+        name: 'AWS Marketplace Management Portal',
+        namespace: 'aws-marketplace-management',
+    },
+    {
+        name: 'AWS Billing Console',
+        namespace: 'aws-portal',
+    },
+    {
+        name: 'AWS Connector Service',
+        namespace: 'awsconnector',
+    },
+    {
+        name: 'AWS B2B Data Interchange',
+        namespace: 'b2bi',
+    },
+    {
+        name: 'AWS Backup',
+        namespace: 'backup',
+    },
+    {
+        name: 'AWS Backup Gateway',
+        namespace: 'backup-gateway',
+    },
+    {
+        name: 'AWS Backup Search',
+        namespace: 'backup-search',
+    },
+    {
+        name: 'AWS Backup storage',
+        namespace: 'backup-storage',
+    },
+    {
+        name: 'AWS Batch',
+        namespace: 'batch',
+    },
+    {
+        name: 'AWS Billing And Cost Management Data Exports',
+        namespace: 'bcm-data-exports',
+    },
+    {
+        name: 'AWS Billing And Cost Management Pricing Calculator',
+        namespace: 'bcm-pricing-calculator',
+    },
+    {
+        name: 'Amazon Bedrock',
+        namespace: 'bedrock',
+    },
+    {
+        name: 'AWS Billing',
+        namespace: 'billing',
+    },
+    {
+        name: 'AWS Billing Conductor',
+        namespace: 'billingconductor',
+    },
+    {
+        name: 'Amazon Braket',
+        namespace: 'braket',
+    },
+    {
+        name: 'AWS Budget Service',
+        namespace: 'budgets',
+    },
+    {
+        name: 'AWS BugBust',
+        namespace: 'bugbust',
+    },
+    {
+        name: 'Amazon Connect Cases',
+        namespace: 'cases',
+    },
+    {
+        name: 'Amazon Keyspaces (for Apache Cassandra)',
+        namespace: 'cassandra',
+    },
+    {
+        name: 'AWS Cost Explorer Service',
+        namespace: 'ce',
+    },
+    {
+        name: 'AWS Chatbot',
+        namespace: 'chatbot',
+    },
+    {
+        name: 'Amazon Chime',
+        namespace: 'chime',
+    },
+    {
+        name: 'AWS Clean Rooms',
+        namespace: 'cleanrooms',
+    },
+    {
+        name: 'AWS Clean Rooms ML',
+        namespace: 'cleanrooms-ml',
+    },
+    {
+        name: 'AWS Cloud9',
+        namespace: 'cloud9',
+    },
+    {
+        name: 'Amazon Cloud Directory',
+        namespace: 'clouddirectory',
+    },
+    {
+        name: 'AWS CloudFormation',
+        namespace: 'cloudformation',
+    },
+    {
+        name: 'Amazon CloudFront',
+        namespace: 'cloudfront',
+    },
+    {
+        name: 'Amazon CloudFront KeyValueStore',
+        namespace: 'cloudfront-keyvaluestore',
+    },
+    {
+        name: 'AWS CloudHSM',
+        namespace: 'cloudhsm',
+    },
+    {
+        name: 'Amazon CloudSearch',
+        namespace: 'cloudsearch',
+    },
+    {
+        name: 'AWS CloudShell',
+        namespace: 'cloudshell',
+    },
+    {
+        name: 'AWS CloudTrail',
+        namespace: 'cloudtrail',
+    },
+    {
+        name: 'AWS CloudTrail Data',
+        namespace: 'cloudtrail-data',
+    },
+    {
+        name: 'Amazon CloudWatch',
+        namespace: 'cloudwatch',
+    },
+    {
+        name: 'AWS CodeArtifact',
+        namespace: 'codeartifact',
+    },
+    {
+        name: 'AWS CodeBuild',
+        namespace: 'codebuild',
+    },
+    {
+        name: 'Amazon CodeCatalyst',
+        namespace: 'codecatalyst',
+    },
+    {
+        name: 'AWS CodeCommit',
+        namespace: 'codecommit',
+    },
+    {
+        name: 'AWS CodeConnections',
+        namespace: 'codeconnections',
+    },
+    {
+        name: 'AWS CodeDeploy',
+        namespace: 'codedeploy',
+    },
+    {
+        name: 'AWS CodeDeploy secure host commands service',
+        namespace: 'codedeploy-commands-secure',
+    },
+    {
+        name: 'Amazon CodeGuru',
+        namespace: 'codeguru',
+    },
+    {
+        name: 'Amazon CodeGuru Profiler',
+        namespace: 'codeguru-profiler',
+    },
+    {
+        name: 'Amazon CodeGuru Reviewer',
+        namespace: 'codeguru-reviewer',
+    },
+    {
+        name: 'Amazon CodeGuru Security',
+        namespace: 'codeguru-security',
+    },
+    {
+        name: 'AWS CodePipeline',
+        namespace: 'codepipeline',
+    },
+    {
+        name: 'AWS CodeStar',
+        namespace: 'codestar',
+    },
+    {
+        name: 'AWS CodeStar Connections',
+        namespace: 'codestar-connections',
+    },
+    {
+        name: 'AWS CodeStar Notifications',
+        namespace: 'codestar-notifications',
+    },
+    {
+        name: 'Amazon CodeWhisperer',
+        namespace: 'codewhisperer',
+    },
+    {
+        name: 'Amazon Cognito Identity',
+        namespace: 'cognito-identity',
+    },
+    {
+        name: 'Amazon Cognito User Pools',
+        namespace: 'cognito-idp',
+    },
+    {
+        name: 'Amazon Cognito Sync',
+        namespace: 'cognito-sync',
+    },
+    {
+        name: 'Amazon Comprehend',
+        namespace: 'comprehend',
+    },
+    {
+        name: 'Amazon Comprehend Medical',
+        namespace: 'comprehendmedical',
+    },
+    {
+        name: 'AWS Compute Optimizer',
+        namespace: 'compute-optimizer',
+    },
+    {
+        name: 'AWS Config',
+        namespace: 'config',
+    },
+    {
+        name: 'Amazon Connect',
+        namespace: 'connect',
+    },
+    {
+        name: 'Amazon Connect Outbound Campaigns',
+        namespace: 'connect-campaigns',
+    },
+    {
+        name: 'AWS Console Mobile App',
+        namespace: 'consoleapp',
+    },
+    {
+        name: 'AWS Consolidated Billing',
+        namespace: 'consolidatedbilling',
+    },
+    {
+        name: 'AWS Control Catalog',
+        namespace: 'controlcatalog',
+    },
+    {
+        name: 'AWS Control Tower',
+        namespace: 'controltower',
+    },
+    {
+        name: 'AWS Cost Optimization Hub',
+        namespace: 'cost-optimization-hub',
+    },
+    {
+        name: 'AWS Cost and Usage Report',
+        namespace: 'cur',
+    },
+    {
+        name: 'AWS Customer Verification Service',
+        namespace: 'customer-verification',
+    },
+    {
+        name: 'AWS Glue DataBrew',
+        namespace: 'databrew',
+    },
+    {
+        name: 'AWS Data Exchange',
+        namespace: 'dataexchange',
+    },
+    {
+        name: 'AWS Data Pipeline',
+        namespace: 'datapipeline',
+    },
+    {
+        name: 'AWS DataSync',
+        namespace: 'datasync',
+    },
+    {
+        name: 'Amazon DataZone',
+        namespace: 'datazone',
+    },
+    {
+        name: 'Amazon DynamoDB Accelerator (DAX)',
+        namespace: 'dax',
+    },
+    {
+        name: 'Database Query Metadata Service',
+        namespace: 'dbqms',
+    },
+    {
+        name: 'AWS Deadline Cloud',
+        namespace: 'deadline',
+    },
+    {
+        name: 'AWS DeepComposer',
+        namespace: 'deepcomposer',
+    },
+    {
+        name: 'AWS DeepRacer',
+        namespace: 'deepracer',
+    },
+    {
+        name: 'Amazon Detective',
+        namespace: 'detective',
+    },
+    {
+        name: 'AWS Device Farm',
+        namespace: 'devicefarm',
+    },
+    {
+        name: 'Amazon DevOps Guru',
+        namespace: 'devops-guru',
+    },
+    {
+        name: 'AWS Direct Connect',
+        namespace: 'directconnect',
+    },
+    {
+        name: 'AWS Application Discovery Service',
+        namespace: 'discovery',
+    },
+    {
+        name: 'Amazon Data Lifecycle Manager',
+        namespace: 'dlm',
+    },
+    {
+        name: 'AWS Database Migration Service',
+        namespace: 'dms',
+    },
+    {
+        name: 'Amazon DocumentDB Elastic Clusters',
+        namespace: 'docdb-elastic',
+    },
+    {
+        name: 'AWS Elastic Disaster Recovery',
+        namespace: 'drs',
+    },
+    {
+        name: 'AWS Directory Service',
+        namespace: 'ds',
+    },
+    {
+        name: 'AWS Directory Service Data',
+        namespace: 'ds-data',
+    },
+    {
+        name: 'Amazon Aurora DSQL',
+        namespace: 'dsql',
+    },
+    {
+        name: 'Amazon DynamoDB',
+        namespace: 'dynamodb',
+    },
+    {
+        name: 'Amazon Elastic Block Store',
+        namespace: 'ebs',
+    },
+    {
+        name: 'Amazon EC2',
+        namespace: 'ec2',
+    },
+    {
+        name: 'Amazon EC2 Instance Connect',
+        namespace: 'ec2-instance-connect',
+    },
+    {
+        name: 'Amazon Message Delivery Service',
+        namespace: 'ec2messages',
+    },
+    {
+        name: 'Amazon Elastic Container Registry',
+        namespace: 'ecr',
+    },
+    {
+        name: 'Amazon Elastic Container Registry Public',
+        namespace: 'ecr-public',
+    },
+    {
+        name: 'Amazon Elastic Container Service',
+        namespace: 'ecs',
+    },
+    {
+        name: 'Amazon Elastic Kubernetes Service',
+        namespace: 'eks',
+    },
+    {
+        name: 'Amazon EKS Auth',
+        namespace: 'eks-auth',
+    },
+    {
+        name: 'Amazon ElastiCache',
+        namespace: 'elasticache',
+    },
+    {
+        name: 'AWS Elastic Beanstalk',
+        namespace: 'elasticbeanstalk',
+    },
+    {
+        name: 'Amazon Elastic File System',
+        namespace: 'elasticfilesystem',
+    },
+    {
+        name: 'Elastic Load Balancing',
+        namespace: 'elasticloadbalancing',
+    },
+    {
+        name: 'Amazon Elastic MapReduce',
+        namespace: 'elasticmapreduce',
+    },
+    {
+        name: 'Amazon Elastic Transcoder',
+        namespace: 'elastictranscoder',
+    },
+    {
+        name: 'AWS Elemental Appliances and Software Activation Service',
+        namespace: 'elemental-activations',
+    },
+    {
+        name: 'AWS Elemental Appliances and Software',
+        namespace: 'elemental-appliances-software',
+    },
+    {
+        name: 'AWS Elemental Support Cases',
+        namespace: 'elemental-support-cases',
+    },
+    {
+        name: 'AWS Elemental Support Content',
+        namespace: 'elemental-support-content',
+    },
+    {
+        name: 'Amazon EMR on EKS (EMR Containers)',
+        namespace: 'emr-containers',
+    },
+    {
+        name: 'Amazon EMR Serverless',
+        namespace: 'emr-serverless',
+    },
+    {
+        name: 'AWS Entity Resolution',
+        namespace: 'entityresolution',
+    },
+    {
+        name: 'Amazon OpenSearch Service',
+        namespace: 'es',
+    },
+    {
+        name: 'Amazon EventBridge',
+        namespace: 'events',
+    },
+    {
+        name: 'Amazon CloudWatch Evidently',
+        namespace: 'evidently',
+    },
+    {
+        name: 'Amazon API Gateway',
+        namespace: 'execute-api',
+    },
+    {
+        name: 'Amazon FinSpace',
+        namespace: 'finspace',
+    },
+    {
+        name: 'Amazon FinSpace API',
+        namespace: 'finspace-api',
+    },
+    {
+        name: 'Amazon Kinesis Firehose',
+        namespace: 'firehose',
+    },
+    {
+        name: 'AWS Fault Injection Service',
+        namespace: 'fis',
+    },
+    {
+        name: 'AWS Firewall Manager',
+        namespace: 'fms',
+    },
+    {
+        name: 'Amazon Forecast',
+        namespace: 'forecast',
+    },
+    {
+        name: 'Amazon Fraud Detector',
+        namespace: 'frauddetector',
+    },
+    {
+        name: 'Amazon FreeRTOS',
+        namespace: 'freertos',
+    },
+    {
+        name: 'AWS Free Tier',
+        namespace: 'freetier',
+    },
+    {
+        name: 'Amazon FSx',
+        namespace: 'fsx',
+    },
+    {
+        name: 'Amazon GameLift',
+        namespace: 'gamelift',
+    },
+    {
+        name: 'Amazon GameLift Streams',
+        namespace: 'gameliftstreams',
+    },
+    {
+        name: 'Amazon Location',
+        namespace: 'geo',
+    },
+    {
+        name: 'Amazon Location Service Maps',
+        namespace: 'geo-maps',
+    },
+    {
+        name: 'Amazon Location Service Places',
+        namespace: 'geo-places',
+    },
+    {
+        name: 'Amazon Location Service Routes',
+        namespace: 'geo-routes',
+    },
+    {
+        name: 'Amazon S3 Glacier',
+        namespace: 'glacier',
+    },
+    {
+        name: 'AWS Global Accelerator',
+        namespace: 'globalaccelerator',
+    },
+    {
+        name: 'AWS Glue',
+        namespace: 'glue',
+    },
+    {
+        name: 'Amazon Managed Grafana',
+        namespace: 'grafana',
+    },
+    {
+        name: 'AWS IoT Greengrass',
+        namespace: 'greengrass',
+    },
+    {
+        name: 'AWS Ground Station',
+        namespace: 'groundstation',
+    },
+    {
+        name: 'Amazon GroundTruth Labeling',
+        namespace: 'groundtruthlabeling',
+    },
+    {
+        name: 'Amazon GuardDuty',
+        namespace: 'guardduty',
+    },
+    {
+        name: 'AWS Health APIs and Notifications',
+        namespace: 'health',
+    },
+    {
+        name: 'AWS HealthLake',
+        namespace: 'healthlake',
+    },
+    {
+        name: 'Amazon Honeycode',
+        namespace: 'honeycode',
+    },
+    {
+        name: 'AWS Identity and Access Management',
+        namespace: 'iam',
+    },
+    {
+        name: 'AWS Identity Sync',
+        namespace: 'identity-sync',
+    },
+    {
+        name: 'AWS Identity Store',
+        namespace: 'identitystore',
+    },
+    {
+        name: 'AWS Identity Store Auth',
+        namespace: 'identitystore-auth',
+    },
+    {
+        name: 'Amazon EC2 Image Builder',
+        namespace: 'imagebuilder',
+    },
+    {
+        name: 'AWS Import Export',
+        namespace: 'importexport',
+    },
+    {
+        name: 'Amazon Inspector',
+        namespace: 'inspector',
+    },
+    {
+        name: 'Amazon InspectorScan',
+        namespace: 'inspector-scan',
+    },
+    {
+        name: 'Amazon Inspector2',
+        namespace: 'inspector2',
+    },
+    {
+        name: 'Amazon CloudWatch Internet Monitor',
+        namespace: 'internetmonitor',
+    },
+    {
+        name: 'AWS Invoicing Service',
+        namespace: 'invoicing',
+    },
+    {
+        name: 'AWS IoT',
+        namespace: 'iot',
+    },
+    {
+        name: 'AWS IoT Device Tester',
+        namespace: 'iot-device-tester',
+    },
+    {
+        name: 'AWS IoT 1-Click',
+        namespace: 'iot1click',
+    },
+    {
+        name: 'AWS IoT Analytics',
+        namespace: 'iotanalytics',
+    },
+    {
+        name: 'AWS IoT Core Device Advisor',
+        namespace: 'iotdeviceadvisor',
+    },
+    {
+        name: 'AWS IoT Events',
+        namespace: 'iotevents',
+    },
+    {
+        name: 'AWS IoT Fleet Hub for Device Management',
+        namespace: 'iotfleethub',
+    },
+    {
+        name: 'AWS IoT FleetWise',
+        namespace: 'iotfleetwise',
+    },
+    {
+        name: 'AWS IoT Jobs DataPlane',
+        namespace: 'iotjobsdata',
+    },
+    {
+        name: 'AWS IoT managed integrations feature of IoT Device Management',
+        namespace: 'iotmanagedintegrations',
+    },
+    {
+        name: 'AWS IoT SiteWise',
+        namespace: 'iotsitewise',
+    },
+    {
+        name: 'AWS IoT TwinMaker',
+        namespace: 'iottwinmaker',
+    },
+    {
+        name: 'AWS IoT Wireless',
+        namespace: 'iotwireless',
+    },
+    {
+        name: 'AWS IQ',
+        namespace: 'iq',
+    },
+    {
+        name: 'AWS IQ Permissions',
+        namespace: 'iq-permission',
+    },
+    {
+        name: 'Amazon Interactive Video Service',
+        namespace: 'ivs',
+    },
+    {
+        name: 'Amazon Interactive Video Service Chat',
+        namespace: 'ivschat',
+    },
+    {
+        name: 'Amazon Managed Streaming for Apache Kafka',
+        namespace: 'kafka',
+    },
+    {
+        name: 'Apache Kafka APIs for Amazon MSK clusters',
+        namespace: 'kafka-cluster',
+    },
+    {
+        name: 'Amazon Managed Streaming for Kafka Connect',
+        namespace: 'kafkaconnect',
+    },
+    {
+        name: 'Amazon Kendra',
+        namespace: 'kendra',
+    },
+    {
+        name: 'Amazon Kendra Intelligent Ranking',
+        namespace: 'kendra-ranking',
+    },
+    {
+        name: 'Amazon Kinesis Data Streams',
+        namespace: 'kinesis',
+    },
+    {
+        name: 'Amazon Kinesis Analytics',
+        namespace: 'kinesisanalytics',
+    },
+    {
+        name: 'Amazon Kinesis Video Streams',
+        namespace: 'kinesisvideo',
+    },
+    {
+        name: 'AWS Key Management Service',
+        namespace: 'kms',
+    },
+    {
+        name: 'AWS Lake Formation',
+        namespace: 'lakeformation',
+    },
+    {
+        name: 'AWS Lambda',
+        namespace: 'lambda',
+    },
+    {
+        name: 'AWS Launch Wizard',
+        namespace: 'launchwizard',
+    },
+    {
+        name: 'Amazon Lex',
+        namespace: 'lex',
+    },
+    {
+        name: 'AWS License Manager',
+        namespace: 'license-manager',
+    },
+    {
+        name: 'AWS License Manager Linux Subscriptions Manager',
+        namespace: 'license-manager-linux-subscriptions',
+    },
+    {
+        name: 'AWS License Manager User Subscriptions',
+        namespace: 'license-manager-user-subscriptions',
+    },
+    {
+        name: 'Amazon Lightsail',
+        namespace: 'lightsail',
+    },
+    {
+        name: 'Amazon CloudWatch Logs',
+        namespace: 'logs',
+    },
+    {
+        name: 'Amazon Lookout for Equipment',
+        namespace: 'lookoutequipment',
+    },
+    {
+        name: 'Amazon Lookout for Metrics',
+        namespace: 'lookoutmetrics',
+    },
+    {
+        name: 'Amazon Lookout for Vision',
+        namespace: 'lookoutvision',
+    },
+    {
+        name: 'AWS Mainframe Modernization Service',
+        namespace: 'm2',
+    },
+    {
+        name: 'Amazon Machine Learning',
+        namespace: 'machinelearning',
+    },
+    {
+        name: 'Amazon Macie',
+        namespace: 'macie2',
+    },
+    {
+        name: 'Amazon Managed Blockchain',
+        namespace: 'managedblockchain',
+    },
+    {
+        name: 'Amazon Managed Blockchain Query',
+        namespace: 'managedblockchain-query',
+    },
+    {
+        name: 'AWS Migration Acceleration Program Credits',
+        namespace: 'mapcredits',
+    },
+    {
+        name: 'AWS Marketplace Commerce Analytics Service',
+        namespace: 'marketplacecommerceanalytics',
+    },
+    {
+        name: 'Amazon Mechanical Turk',
+        namespace: 'mechanicalturk',
+    },
+    {
+        name: 'AWS Elemental MediaConnect',
+        namespace: 'mediaconnect',
+    },
+    {
+        name: 'AWS Elemental MediaConvert',
+        namespace: 'mediaconvert',
+    },
+    {
+        name: 'AmazonMediaImport',
+        namespace: 'mediaimport',
+    },
+    {
+        name: 'AWS Elemental MediaLive',
+        namespace: 'medialive',
+    },
+    {
+        name: 'AWS Elemental MediaPackage',
+        namespace: 'mediapackage',
+    },
+    {
+        name: 'AWS Elemental MediaPackage VOD',
+        namespace: 'mediapackage-vod',
+    },
+    {
+        name: 'AWS Elemental MediaPackage V2',
+        namespace: 'mediapackagev2',
+    },
+    {
+        name: 'AWS Elemental MediaStore',
+        namespace: 'mediastore',
+    },
+    {
+        name: 'AWS Elemental MediaTailor',
+        namespace: 'mediatailor',
+    },
+    {
+        name: 'AWS HealthImaging',
+        namespace: 'medical-imaging',
+    },
+    {
+        name: 'Amazon MemoryDB',
+        namespace: 'memorydb',
+    },
+    {
+        name: 'AWS Migration Hub',
+        namespace: 'mgh',
+    },
+    {
+        name: 'AWS Application Migration Service',
+        namespace: 'mgn',
+    },
+    {
+        name: 'AWS Migration Hub Orchestrator',
+        namespace: 'migrationhub-orchestrator',
+    },
+    {
+        name: 'AWS Migration Hub Strategy Recommendations',
+        namespace: 'migrationhub-strategy',
+    },
+    {
+        name: 'Amazon Mobile Analytics',
+        namespace: 'mobileanalytics',
+    },
+    {
+        name: 'Amazon Pinpoint',
+        namespace: 'mobiletargeting',
+    },
+    {
+        name: 'Amazon Monitron',
+        namespace: 'monitron',
+    },
+    {
+        name: 'Amazon MQ',
+        namespace: 'mq',
+    },
+    {
+        name: 'Amazon Neptune',
+        namespace: 'neptune-db',
+    },
+    {
+        name: 'Amazon Neptune Analytics',
+        namespace: 'neptune-graph',
+    },
+    {
+        name: 'AWS Network Firewall',
+        namespace: 'network-firewall',
+    },
+    {
+        name: 'Network Flow Monitor',
+        namespace: 'networkflowmonitor',
+    },
+    {
+        name: 'AWS Network Manager',
+        namespace: 'networkmanager',
+    },
+    {
+        name: 'AWS Network Manager Chat',
+        namespace: 'networkmanager-chat',
+    },
+    {
+        name: 'Amazon CloudWatch Network Monitor',
+        namespace: 'networkmonitor',
+    },
+    {
+        name: 'Amazon Nimble Studio',
+        namespace: 'nimble',
+    },
+    {
+        name: 'AWS User Notifications',
+        namespace: 'notifications',
+    },
+    {
+        name: 'AWS User Notifications Contacts',
+        namespace: 'notifications-contacts',
+    },
+    {
+        name: 'Amazon CloudWatch Observability Access Manager',
+        namespace: 'oam',
+    },
+    {
+        name: 'Amazon CloudWatch Observability Admin Service',
+        namespace: 'observabilityadmin',
+    },
+    {
+        name: 'AWS HealthOmics',
+        namespace: 'omics',
+    },
+    {
+        name: 'Amazon One Enterprise',
+        namespace: 'one',
+    },
+    {
+        name: 'Amazon OpenSearch',
+        namespace: 'opensearch',
+    },
+    {
+        name: 'AWS OpsWorks',
+        namespace: 'opsworks',
+    },
+    {
+        name: 'AWS OpsWorks Configuration Management',
+        namespace: 'opsworks-cm',
+    },
+    {
+        name: 'AWS Organizations',
+        namespace: 'organizations',
+    },
+    {
+        name: 'Amazon OpenSearch Ingestion',
+        namespace: 'osis',
+    },
+    {
+        name: 'AWS Outposts',
+        namespace: 'outposts',
+    },
+    {
+        name: 'AWS Panorama',
+        namespace: 'panorama',
+    },
+    {
+        name: 'AWS Partner Central Selling',
+        namespace: 'partnercentral',
+    },
+    {
+        name: 'AWS Partner central account management',
+        namespace: 'partnercentral-account-management',
+    },
+    {
+        name: 'AWS Payment Cryptography',
+        namespace: 'payment-cryptography',
+    },
+    {
+        name: 'AWS Payments',
+        namespace: 'payments',
+    },
+    {
+        name: 'AWS Private CA Connector for Active Directory',
+        namespace: 'pca-connector-ad',
+    },
+    {
+        name: 'AWS Private CA Connector for SCEP',
+        namespace: 'pca-connector-scep',
+    },
+    {
+        name: 'AWS Parallel Computing Service',
+        namespace: 'pcs',
+    },
+    {
+        name: 'Amazon Personalize',
+        namespace: 'personalize',
+    },
+    {
+        name: 'AWS Performance Insights',
+        namespace: 'pi',
+    },
+    {
+        name: 'Amazon EventBridge Pipes',
+        namespace: 'pipes',
+    },
+    {
+        name: 'Amazon Polly',
+        namespace: 'polly',
+    },
+    {
+        name: 'AWS Price List',
+        namespace: 'pricing',
+    },
+    {
+        name: 'AWS service providing managed private networks',
+        namespace: 'private-networks',
+    },
+    {
+        name: 'Amazon Connect Customer Profiles',
+        namespace: 'profile',
+    },
+    {
+        name: 'AWS Proton',
+        namespace: 'proton',
+    },
+    {
+        name: 'AWS Purchase Orders Console',
+        namespace: 'purchase-orders',
+    },
+    {
+        name: 'Amazon Q',
+        namespace: 'q',
+    },
+    {
+        name: 'Amazon Q Business Q Apps',
+        namespace: 'qapps',
+    },
+    {
+        name: 'Amazon Q Business',
+        namespace: 'qbusiness',
+    },
+    {
+        name: 'Amazon Q Developer',
+        namespace: 'qdeveloper',
+    },
+    {
+        name: 'Amazon QLDB',
+        namespace: 'qldb',
+    },
+    {
+        name: 'Amazon QuickSight',
+        namespace: 'quicksight',
+    },
+    {
+        name: 'AWS Resource Access Manager (RAM)',
+        namespace: 'ram',
+    },
+    {
+        name: 'AWS Recycle Bin',
+        namespace: 'rbin',
+    },
+    {
+        name: 'Amazon RDS',
+        namespace: 'rds',
+    },
+    {
+        name: 'Amazon RDS Data API',
+        namespace: 'rds-data',
+    },
+    {
+        name: 'Amazon RDS IAM Authentication',
+        namespace: 'rds-db',
+    },
+    {
+        name: 'Amazon Redshift',
+        namespace: 'redshift',
+    },
+    {
+        name: 'Amazon Redshift Data API',
+        namespace: 'redshift-data',
+    },
+    {
+        name: 'Amazon Redshift Serverless',
+        namespace: 'redshift-serverless',
+    },
+    {
+        name: 'AWS Migration Hub Refactor Spaces',
+        namespace: 'refactor-spaces',
+    },
+    {
+        name: 'Amazon Rekognition',
+        namespace: 'rekognition',
+    },
+    {
+        name: 'AWS rePost Private',
+        namespace: 'repostspace',
+    },
+    {
+        name: 'AWS Resilience Hub',
+        namespace: 'resiliencehub',
+    },
+    {
+        name: 'Tag Editor',
+        namespace: 'resource-explorer',
+    },
+    {
+        name: 'AWS Resource Explorer',
+        namespace: 'resource-explorer-2',
+    },
+    {
+        name: 'AWS Resource Groups',
+        namespace: 'resource-groups',
+    },
+    {
+        name: 'Amazon RHEL Knowledgebase Portal',
+        namespace: 'rhelkb',
+    },
+    {
+        name: 'AWS RoboMaker',
+        namespace: 'robomaker',
+    },
+    {
+        name: 'AWS Identity and Access Management Roles Anywhere',
+        namespace: 'rolesanywhere',
+    },
+    {
+        name: 'Amazon Route 53',
+        namespace: 'route53',
+    },
+    {
+        name: 'Amazon Route 53 Recovery Cluster',
+        namespace: 'route53-recovery-cluster',
+    },
+    {
+        name: 'Amazon Route 53 Recovery Controls',
+        namespace: 'route53-recovery-control-config',
+    },
+    {
+        name: 'Amazon Route 53 Recovery Readiness',
+        namespace: 'route53-recovery-readiness',
+    },
+    {
+        name: 'Amazon Route 53 Domains',
+        namespace: 'route53domains',
+    },
+    {
+        name: 'Amazon Route 53 Profiles',
+        namespace: 'route53profiles',
+    },
+    {
+        name: 'Amazon Route 53 Resolver',
+        namespace: 'route53resolver',
+    },
+    {
+        name: 'AWS CloudWatch RUM',
+        namespace: 'rum',
+    },
+    {
+        name: 'Amazon S3',
+        namespace: 's3',
+    },
+    {
+        name: 'Amazon S3 Object Lambda',
+        namespace: 's3-object-lambda',
+    },
+    {
+        name: 'Amazon S3 on Outposts',
+        namespace: 's3-outposts',
+    },
+    {
+        name: 'Amazon S3 Express',
+        namespace: 's3express',
+    },
+    {
+        name: 'Amazon S3 Tables',
+        namespace: 's3tables',
+    },
+    {
+        name: 'Amazon SageMaker',
+        namespace: 'sagemaker',
+    },
+    {
+        name: 'Amazon SageMaker data science assistant',
+        namespace: 'sagemaker-data-science-assistant',
+    },
+    {
+        name: 'Amazon SageMaker geospatial capabilities',
+        namespace: 'sagemaker-geospatial',
+    },
+    {
+        name: 'Amazon SageMaker Ground Truth Synthetic',
+        namespace: 'sagemaker-groundtruth-synthetic',
+    },
+    {
+        name: 'Amazon SageMaker with MLflow',
+        namespace: 'sagemaker-mlflow',
+    },
+    {
+        name: 'AWS Savings Plans',
+        namespace: 'savingsplans',
+    },
+    {
+        name: 'Amazon EventBridge Scheduler',
+        namespace: 'scheduler',
+    },
+    {
+        name: 'Amazon EventBridge Schemas',
+        namespace: 'schemas',
+    },
+    {
+        name: 'AWS Supply Chain',
+        namespace: 'scn',
+    },
+    {
+        name: 'Amazon SimpleDB',
+        namespace: 'sdb',
+    },
+    {
+        name: 'AWS Secrets Manager',
+        namespace: 'secretsmanager',
+    },
+    {
+        name: 'AWS Security Incident Response',
+        namespace: 'security-ir',
+    },
+    {
+        name: 'AWS Security Hub',
+        namespace: 'securityhub',
+    },
+    {
+        name: 'Amazon Security Lake',
+        namespace: 'securitylake',
+    },
+    {
+        name: 'AWS Serverless Application Repository',
+        namespace: 'serverlessrepo',
+    },
+    {
+        name: 'AWS Service Catalog',
+        namespace: 'servicecatalog',
+    },
+    {
+        name: 'AWS Cloud Map',
+        namespace: 'servicediscovery',
+    },
+    {
+        name: 'AWS Microservice Extractor for .NET',
+        namespace: 'serviceextract',
+    },
+    {
+        name: 'Service Quotas',
+        namespace: 'servicequotas',
+    },
+    {
+        name: 'Amazon SES',
+        namespace: 'ses',
+    },
+    {
+        name: 'AWS Shield',
+        namespace: 'shield',
+    },
+    {
+        name: 'AWS Signer',
+        namespace: 'signer',
+    },
+    {
+        name: 'AWS Signin',
+        namespace: 'signin',
+    },
+    {
+        name: 'AWS SimSpace Weaver',
+        namespace: 'simspaceweaver',
+    },
+    {
+        name: 'AWS Server Migration Service',
+        namespace: 'sms',
+    },
+    {
+        name: 'Amazon Pinpoint SMS and Voice Service',
+        namespace: 'sms-voice',
+    },
+    {
+        name: 'AWS Snow Device Management',
+        namespace: 'snow-device-management',
+    },
+    {
+        name: 'AWS Snowball',
+        namespace: 'snowball',
+    },
+    {
+        name: 'Amazon SNS',
+        namespace: 'sns',
+    },
+    {
+        name: 'AWS End User Messaging Social',
+        namespace: 'social-messaging',
+    },
+    {
+        name: 'AWS SQL Workbench',
+        namespace: 'sqlworkbench',
+    },
+    {
+        name: 'Amazon SQS',
+        namespace: 'sqs',
+    },
+    {
+        name: 'AWS Systems Manager',
+        namespace: 'ssm',
+    },
+    {
+        name: 'AWS Systems Manager Incident Manager Contacts',
+        namespace: 'ssm-contacts',
+    },
+    {
+        name: 'AWS Systems Manager GUI Connect',
+        namespace: 'ssm-guiconnect',
+    },
+    {
+        name: 'AWS Systems Manager Incident Manager',
+        namespace: 'ssm-incidents',
+    },
+    {
+        name: 'AWS Systems Manager Quick Setup',
+        namespace: 'ssm-quicksetup',
+    },
+    {
+        name: 'AWS Systems Manager for SAP',
+        namespace: 'ssm-sap',
+    },
+    {
+        name: 'Amazon Message Gateway Service',
+        namespace: 'ssmmessages',
+    },
+    {
+        name: 'AWS IAM Identity Center (successor to AWS Single Sign-On)',
+        namespace: 'sso',
+    },
+    {
+        name: 'AWS IAM Identity Center (successor to AWS Single Sign-On) directory',
+        namespace: 'sso-directory',
+    },
+    {
+        name: 'AWS IAM Identity Center OIDC service',
+        namespace: 'sso-oauth',
+    },
+    {
+        name: 'AWS Step Functions',
+        namespace: 'states',
+    },
+    {
+        name: 'AWS Storage Gateway',
+        namespace: 'storagegateway',
+    },
+    {
+        name: 'AWS Security Token Service',
+        namespace: 'sts',
+    },
+    {
+        name: 'AWS Support',
+        namespace: 'support',
+    },
+    {
+        name: 'AWS Support App in Slack',
+        namespace: 'supportapp',
+    },
+    {
+        name: 'AWS Support Plans',
+        namespace: 'supportplans',
+    },
+    {
+        name: 'AWS Support Recommendations',
+        namespace: 'supportrecommendations',
+    },
+    {
+        name: 'AWS Sustainability',
+        namespace: 'sustainability',
+    },
+    {
+        name: 'Amazon Simple Workflow Service',
+        namespace: 'swf',
+    },
+    {
+        name: 'Amazon CloudWatch Synthetics',
+        namespace: 'synthetics',
+    },
+    {
+        name: 'Amazon Resource Group Tagging API',
+        namespace: 'tag',
+    },
+    {
+        name: 'AWS Tax Settings',
+        namespace: 'tax',
+    },
+    {
+        name: 'Amazon Textract',
+        namespace: 'textract',
+    },
+    {
+        name: 'Amazon WorkSpaces Thin Client',
+        namespace: 'thinclient',
+    },
+    {
+        name: 'Amazon Timestream',
+        namespace: 'timestream',
+    },
+    {
+        name: 'Amazon Timestream InfluxDB',
+        namespace: 'timestream-influxdb',
+    },
+    {
+        name: 'AWS Tiros',
+        namespace: 'tiros',
+    },
+    {
+        name: 'AWS Telco Network Builder',
+        namespace: 'tnb',
+    },
+    {
+        name: 'Amazon Transcribe',
+        namespace: 'transcribe',
+    },
+    {
+        name: 'AWS Transfer Family',
+        namespace: 'transfer',
+    },
+    {
+        name: 'Amazon Translate',
+        namespace: 'translate',
+    },
+    {
+        name: 'AWS Trusted Advisor',
+        namespace: 'trustedadvisor',
+    },
+    {
+        name: 'AWS Diagnostic tools',
+        namespace: 'ts',
+    },
+    {
+        name: 'AWS User Subscriptions',
+        namespace: 'user-subscriptions',
+    },
+    {
+        name: 'AWS Marketplace Vendor Insights',
+        namespace: 'vendor-insights',
+    },
+    {
+        name: 'AWS Verified Access',
+        namespace: 'verified-access',
+    },
+    {
+        name: 'Amazon Verified Permissions',
+        namespace: 'verifiedpermissions',
+    },
+    {
+        name: 'Amazon Connect Voice ID',
+        namespace: 'voiceid',
+    },
+    {
+        name: 'Amazon VPC Lattice',
+        namespace: 'vpc-lattice',
+    },
+    {
+        name: 'Amazon VPC Lattice Services',
+        namespace: 'vpc-lattice-svcs',
+    },
+    {
+        name: 'AWS PrivateLink',
+        namespace: 'vpce',
+    },
+    {
+        name: 'AWS WAF',
+        namespace: 'waf',
+    },
+    {
+        name: 'AWS WAF Regional',
+        namespace: 'waf-regional',
+    },
+    {
+        name: 'AWS WAF V2',
+        namespace: 'wafv2',
+    },
+    {
+        name: 'Amazon WorkSpaces Application Manager',
+        namespace: 'wam',
+    },
+    {
+        name: 'AWS Well-Architected Tool',
+        namespace: 'wellarchitected',
+    },
+    {
+        name: 'AWS Wickr',
+        namespace: 'wickr',
+    },
+    {
+        name: 'Amazon Q in Connect',
+        namespace: 'wisdom',
+    },
+    {
+        name: 'Amazon WorkDocs',
+        namespace: 'workdocs',
+    },
+    {
+        name: 'Amazon WorkLink',
+        namespace: 'worklink',
+    },
+    {
+        name: 'Amazon WorkMail',
+        namespace: 'workmail',
+    },
+    {
+        name: 'Amazon WorkMail Message Flow',
+        namespace: 'workmailmessageflow',
+    },
+    {
+        name: 'Amazon WorkSpaces',
+        namespace: 'workspaces',
+    },
+    {
+        name: 'Amazon WorkSpaces Secure Browser',
+        namespace: 'workspaces-web',
+    },
+    {
+        name: 'AWS X-Ray',
+        namespace: 'xray',
+    },
+];
diff --git a/frontend/src/components/ChipEditor.tsx b/frontend/src/components/ChipEditor.tsx
new file mode 100644
index 00000000..3f49312a
--- /dev/null
+++ b/frontend/src/components/ChipEditor.tsx
@@ -0,0 +1,146 @@
+'use client';
+
+import { PlusCircleIcon, PlusIcon, XMarkIcon } from '@heroicons/react/24/outline';
+import { useState } from 'react';
+import { Combobox, ComboboxInput, ComboboxOption, ComboboxOptions } from '@headlessui/react';
+
+interface Option {
+    label: string;
+    value: string;
+}
+
+interface Props {
+    options: Option[];
+    before: Set<string>;
+    after: Set<string>;
+    onAdd: (value: string) => void;
+    onRemove: (value: string) => void;
+}
+
+export const ChipEditor = (props: Props) => {
+    const [isAdding, setIsAdding] = useState(false);
+
+    const visibleOptions = props.options.filter(
+        (option) => props.before.has(option.value) || props.after.has(option.value),
+    );
+
+    // Add options that are in before or after but not in the current options.
+    {
+        const optionValues = new Set(props.options.map((option) => option.value));
+        for (const value of props.before) {
+            if (!optionValues.has(value)) {
+                visibleOptions.push({ label: value, value });
+            }
+        }
+        for (const value of props.after) {
+            if (!optionValues.has(value)) {
+                visibleOptions.push({ label: value, value });
+            }
+        }
+    }
+
+    visibleOptions.sort((a, b) => a.label.localeCompare(b.label));
+
+    const neutralChip = 'chip px-1';
+    const addedChip = 'chip px-1 bg-mint';
+    const removedChip = 'chip px-1 line-through bg-indian-red';
+
+    return (
+        <span>
+            {visibleOptions.map((option) => {
+                const isAdded = props.after.has(option.value) && !props.before.has(option.value);
+                const isRemoved = props.before.has(option.value) && !props.after.has(option.value);
+
+                return (
+                    <span
+                        key={option.value}
+                        className={`${isAdded ? addedChip : isRemoved ? removedChip : neutralChip}`}
+                    >
+                        {option.label}
+                        {props.after.has(option.value) ? (
+                            <XMarkIcon
+                                className="h-[0.8rem] inline-block ml-1 cursor-pointer"
+                                onClick={() => props.onRemove(option.value)}
+                            />
+                        ) : (
+                            <PlusIcon
+                                className="h-[0.8rem] inline-block ml-1 cursor-pointer"
+                                onClick={() => props.onAdd(option.value)}
+                            />
+                        )}
+                    </span>
+                );
+            })}
+            {isAdding ? (
+                <InlineCombobox
+                    options={props.options.filter(
+                        (option) => !props.before.has(option.value) && !props.after.has(option.value),
+                    )}
+                    onChange={(value) => {
+                        props.onAdd(value);
+                        setIsAdding(false);
+                    }}
+                    onClose={() => setIsAdding(false)}
+                />
+            ) : (
+                <PlusCircleIcon
+                    className="h-[1rem] inline-block ml-1 cursor-pointer"
+                    onClick={() => setIsAdding(true)}
+                />
+            )}
+        </span>
+    );
+};
+
+interface InlineComboboxProps {
+    options: Option[];
+    value?: string;
+    onChange?: (value: string) => void;
+    onClose?: () => void;
+}
+
+const InlineCombobox = (props: InlineComboboxProps) => {
+    const [query, setQuery] = useState('');
+
+    const filteredOptions = props.options
+        .filter((option) => option.label.toLowerCase().includes(query.toLowerCase()))
+        .sort((a, b) => a.label.localeCompare(b.label));
+
+    return (
+        <Combobox
+            value={props.value}
+            onChange={props.onChange}
+            onClose={() => {
+                setQuery('');
+                props.onClose?.();
+            }}
+            immediate
+        >
+            <ComboboxInput
+                autoFocus
+                displayValue={(value) => props.options.find((option) => option.value === value)?.label || ''}
+                onChange={(event) => setQuery(event.target.value)}
+                onBlur={() => {
+                    setQuery('');
+                    props.onClose?.();
+                }}
+                className="bg-english-violet px-2 py-0.5 mx-0.5 leading-none rounded-md text-xs font-semibold text-snow focus:outline-none"
+            />
+            <ComboboxOptions
+                anchor="bottom"
+                className="empty:invisible rounded-md text-snow bg-english-violet/80 backdrop-blur-md"
+                static
+            >
+                {filteredOptions.map((option) => (
+                    <ComboboxOption
+                        key={option.value}
+                        value={option.value}
+                        className="cursor-pointer text-xs px-2 py-0.5 hover:bg-white/20"
+                    >
+                        {option.label}
+                    </ComboboxOption>
+                ))}
+            </ComboboxOptions>
+        </Combobox>
+    );
+};
diff --git a/frontend/src/components/SuccessMessage.tsx b/frontend/src/components/SuccessMessage.tsx
index 1f9455c5..66728f75 100644
--- a/frontend/src/components/SuccessMessage.tsx
+++ b/frontend/src/components/SuccessMessage.tsx
@@ -1,7 +1,7 @@
 import { CheckCircleIcon } from '@heroicons/react/24/outline';
 
 export const SuccessMessage = ({ children }: { children: React.ReactNode }) => (
-    <p className="w-full my-2 rounded-md p-3 text-dark-purple bg-green-100 sm:text-sm sm:leading-6 [&_a]:underline">
+    <p className="w-full my-2 rounded-md p-3 text-dark-purple bg-emerald sm:text-sm sm:leading-6 [&_a]:underline">
         <span className="inline-flex items-baseline">
             <CheckCircleIcon className="h-6 w-6 shrink-0 self-center mr-2" />
             <span>{children}</span>
diff --git a/frontend/src/components/index.tsx b/frontend/src/components/index.tsx
index 80c692d6..6546ba65 100644
--- a/frontend/src/components/index.tsx
+++ b/frontend/src/components/index.tsx
@@ -1,6 +1,7 @@
 export { BackgroundAnimation } from './BackgroundAnimation';
 export { Button } from './Button';
 export { Checkbox } from './Checkbox';
+export { ChipEditor } from './ChipEditor';
 export { Dialog } from './Dialog';
 export { DurationDropdown } from './DurationDropdown';
 export { ErrorMessage } from './ErrorMessage';
diff --git a/frontend/src/hooks.ts b/frontend/src/hooks.ts
index 7e5703f3..3757a806 100644
--- a/frontend/src/hooks.ts
+++ b/frontend/src/hooks.ts
@@ -5,6 +5,7 @@ import {
     AWSAccount,
     AWSIntegration,
     AWSRegion,
+    AWSSCP,
     Report,
     TeamBillingProfile,
     TeamPaymentMethod,
@@ -476,3 +477,13 @@ export const useCurrentTeamPrincipalSettings = (principalKey: string): TeamPrinc
         return undefined;
     });
 };
+
+export const useManagedAwsScp = (teamId: string, accountId: string): AWSSCP | undefined | null => {
+    const dispatch = useDispatch();
+
+    useEffect(() => {
+        dispatch.aws.fetchManagedScpByTeamAndAccountId({ teamId, accountId });
+    }, [teamId, accountId, dispatch]);
+
+    return useSelector((state) => state.aws.managedScps[accountId]);
+};
diff --git a/frontend/src/models/aws.ts b/frontend/src/models/aws.ts
index 6216f392..a4310efc 100644
--- a/frontend/src/models/aws.ts
+++ b/frontend/src/models/aws.ts
@@ -1,14 +1,16 @@
 import { createModel } from '@rematch/core';
 
 import { RootModel } from '.';
-import { apiConfiguration } from './api';
+import { apiConfiguration, ApiError } from './api';
 
 import {
     AwsApi,
     AWSAccount,
     AWSIntegration,
     AWSRegion,
+    AWSSCP,
     CreateAWSIntegrationInput,
+    PutAWSSCPInput,
     UpdateAWSIntegrationInput,
 } from '@/generated/api';
 
@@ -18,6 +20,7 @@ interface AwsState {
     regions: Record<string, AWSRegion>;
     accounts: Record<string, AWSAccount>;
     teamAccountIds: Record<string, string[]>;
+    managedScps: Record<string, AWSSCP | null>;
 }
 
 export const aws = createModel<RootModel>()({
@@ -27,6 +30,7 @@ export const aws = createModel<RootModel>()({
         regions: {},
         accounts: {},
         teamAccountIds: {},
+        managedScps: {},
     } as AwsState,
     reducers: {
         putIntegration(state, integration: AWSIntegration) {
@@ -44,6 +48,9 @@ export const aws = createModel<RootModel>()({
         putAccount(state, account: AWSAccount) {
             state.accounts[account.id] = account;
         },
+        putManagedScp(state, accountId: string, scp: AWSSCP | null) {
+            state.managedScps[accountId] = scp;
+        },
         setTeamAccountIds(state, teamId: string, accountIds: string[]) {
             state.teamAccountIds[teamId] = accountIds;
         },
@@ -94,6 +101,31 @@ export const aws = createModel<RootModel>()({
                 resp.map((a) => a.id),
             );
         },
+        async fetchManagedScpByTeamAndAccountId(payload: { teamId: string; accountId: string }, state) {
+            const api = new AwsApi(apiConfiguration(state.api));
+            try {
+                const resp = await api.getManagedAWSSCP(payload);
+                dispatch.aws.putManagedScp(payload.accountId, resp);
+            } catch (err) {
+                if (err instanceof ApiError && err.status === 404) {
+                    dispatch.aws.putManagedScp(payload.accountId, null);
+                } else {
+                    throw err;
+                }
+            }
+        },
+        async putManagedScpByTeamAndAccountId(
+            payload: { teamId: string; accountId: string; input: PutAWSSCPInput },
+            state,
+        ) {
+            const api = new AwsApi(apiConfiguration(state.api));
+            const resp = await api.putManagedAWSSCP({
+                teamId: payload.teamId,
+                accountId: payload.accountId,
+                putAWSSCPInput: payload.input,
+            });
+            dispatch.aws.putManagedScp(payload.accountId, resp);
+        },
         async createIntegration(payload: { teamId: string; input: CreateAWSIntegrationInput }, state) {
             const api = new AwsApi(apiConfiguration(state.api));
             const resp = await api.createAWSIntegration({
diff --git a/frontend/src/rules.ts b/frontend/src/rules.ts
new file mode 100644
index 00000000..b480d664
--- /dev/null
+++ b/frontend/src/rules.ts
@@ -0,0 +1,174 @@
+import { AwsPolicy } from '@/aws';
+
+export interface ServiceAllowlistRule {
+    type: 'service_allowlist';
+    services: Set<string>;
+}
+
+export interface RegionAllowlistRule {
+    type: 'region_allowlist';
+    regions: Set<string>;
+}
+
+export type Rule = ServiceAllowlistRule | RegionAllowlistRule;
+
+const toStrings = (thing: string | string[] | undefined): string[] => {
+    if (!thing) {
+        return [];
+    }
+    if (typeof thing === 'string') {
+        return [thing];
+    }
+    return thing;
+};
+
+export class RuleSet {
+    regionAllowlist?: RegionAllowlistRule;
+    serviceAllowlist?: ServiceAllowlistRule;
+
+    static fromScpContent(content: string): RuleSet {
+        const policy = JSON.parse(content) as AwsPolicy;
+        const ret = new RuleSet();
+        for (const statement of policy.Statement) {
+            switch (statement.Sid) {
+                case 'ServiceAllowlist':
+                    ret.serviceAllowlist = {
+                        type: 'service_allowlist',
+                        services: new Set(toStrings(statement.NotAction).map((action) => action.split(':')[0])),
+                    };
+                    break;
+                case 'RegionAllowlist':
+                    ret.regionAllowlist = {
+                        type: 'region_allowlist',
+                        regions: new Set(statement.Condition?.StringNotEquals['aws:RequestedRegion'] || []),
+                    };
+                    break;
+            }
+        }
+        return ret;
+    }
+
+    // Creates a deep clone of the RuleSet.
+    clone(): RuleSet {
+        const ret = new RuleSet();
+        if (this.serviceAllowlist) {
+            ret.serviceAllowlist = {
+                type: 'service_allowlist',
+                services: new Set(this.serviceAllowlist.services),
+            };
+        }
+        if (this.regionAllowlist) {
+            ret.regionAllowlist = {
+                type: 'region_allowlist',
+                regions: new Set(this.regionAllowlist.regions),
+            };
+        }
+        return ret;
+    }
+
+    equal(other: RuleSet): boolean {
+        if (this.serviceAllowlist && other.serviceAllowlist) {
+            if (this.serviceAllowlist.services.size !== other.serviceAllowlist.services.size) {
+                return false;
+            }
+            for (const service of this.serviceAllowlist.services) {
+                if (!other.serviceAllowlist.services.has(service)) {
+                    return false;
+                }
+            }
+        } else if (this.serviceAllowlist || other.serviceAllowlist) {
+            return false;
+        }
+
+        if (this.regionAllowlist && other.regionAllowlist) {
+            if (this.regionAllowlist.regions.size !== other.regionAllowlist.regions.size) {
+                return false;
+            }
+            for (const region of this.regionAllowlist.regions) {
+                if (!other.regionAllowlist.regions.has(region)) {
+                    return false;
+                }
+            }
+        } else if (this.regionAllowlist || other.regionAllowlist) {
+            return false;
+        }
+
+        return true;
+    }
+
+    addRegionToAllowlist(region: string) {
+        if (!this.regionAllowlist) {
+            this.regionAllowlist = { type: 'region_allowlist', regions: new Set() };
+        }
+        this.regionAllowlist.regions.add(region);
+    }
+
+    removeRegionFromAllowlist(region: string) {
+        if (this.regionAllowlist) {
+            this.regionAllowlist.regions.delete(region);
+            if (this.regionAllowlist.regions.size === 0) {
+                this.regionAllowlist = undefined;
+            }
+        }
+    }
+
+    hasRegionInAllowlist(region: string): boolean {
+        return this.regionAllowlist ? this.regionAllowlist.regions.has(region) : false;
+    }
+
+    addServiceToAllowlist(service: string) {
+        if (!this.serviceAllowlist) {
+            this.serviceAllowlist = { type: 'service_allowlist', services: new Set() };
+        }
+        this.serviceAllowlist.services.add(service);
+    }
+
+    removeServiceFromAllowlist(service: string) {
+        if (this.serviceAllowlist) {
+            this.serviceAllowlist.services.delete(service);
+            if (this.serviceAllowlist.services.size === 0) {
+                this.serviceAllowlist = undefined;
+            }
+        }
+    }
+
+    hasServiceInAllowlist(service: string): boolean {
+        return this.serviceAllowlist ? this.serviceAllowlist.services.has(service) : false;
+    }
+
+    scp(): AwsPolicy {
+        const policy: AwsPolicy = {
+            Version: '2012-10-17',
+            Statement: [],
+        };
+
+        if (this.serviceAllowlist) {
+            policy.Statement.push({
+                Sid: 'ServiceAllowlist',
+                Effect: 'Deny',
+                NotAction: Array.from(this.serviceAllowlist.services).map((service) => `${service}:*`),
+                Resource: '*',
+            });
+        }
+
+        if (this.regionAllowlist) {
+            policy.Statement.push({
+                Sid: 'RegionAllowlist',
+                Effect: 'Deny',
+                // Take special care with this core global services. They either work in all regions or not at all.
+                Action: this.hasRegionInAllowlist('us-east-1') ? '*' : undefined,
+                NotAction: this.hasRegionInAllowlist('us-east-1')
+                    ? undefined
+                    : ['iam:*', 'organizations:*', 'account:*'],
+                Resource: '*',
+                Condition: {
+                    StringNotEquals: {
+                        'aws:RequestedRegion': Array.from(this.regionAllowlist.regions),
+                    },
+                },
+            });
+        }
+
+        return policy;
+    }
+}

From af262898fce1136664b05fd4d138e88aa07bf352 Mon Sep 17 00:00:00 2001
From: Chris Brown <1731074+ccbrown@users.noreply.github.com>
Date: Sun, 20 Apr 2025 02:41:20 -0400
Subject: [PATCH 2/2] fix comment typo

---
 frontend/src/rules.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/rules.ts b/frontend/src/rules.ts
index b480d664..c2cfeb08 100644
--- a/frontend/src/rules.ts
+++ b/frontend/src/rules.ts
@@ -155,7 +155,7 @@ export class RuleSet {
             policy.Statement.push({
                 Sid: 'RegionAllowlist',
                 Effect: 'Deny',
-                // Take special care with this core global services. They either work in all regions or not at all.
+                // Take special care with these core global services. They either work in all regions or not at all.
                 Action: this.hasRegionInAllowlist('us-east-1') ? '*' : undefined,
                 NotAction: this.hasRegionInAllowlist('us-east-1')
                     ? undefined