From f41ffa4f796fc7ff113fb4ae1b4f23b7d22da8cd Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 28 May 2026 12:15:22 -0400
Subject: [PATCH] add deny product updates to sc-servicecatalog t1 and t2

---
 policies/sc-servicecatalog-t1/policy.tf | 9 +++++++++
 policies/sc-servicecatalog-t2/policy.tf | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/policies/sc-servicecatalog-t1/policy.tf b/policies/sc-servicecatalog-t1/policy.tf
index 425ab7f..e2ac35f 100644
--- a/policies/sc-servicecatalog-t1/policy.tf
+++ b/policies/sc-servicecatalog-t1/policy.tf
@@ -10,4 +10,13 @@ data "aws_iam_policy_document" "inline" {
     ]
     resources = ["*"]
   }
+  statement {
+    sid    = "DenyProductUpdates"
+    effect = "Deny"
+    actions = [
+      "servicecatalog:UpdateProvisionedProduct",
+      "servicecatalog:UpdateProvisionedProductProperties",
+    ]
+    resources = ["*"]
+   }
 }
diff --git a/policies/sc-servicecatalog-t2/policy.tf b/policies/sc-servicecatalog-t2/policy.tf
index 77c67fb..0d024d6 100644
--- a/policies/sc-servicecatalog-t2/policy.tf
+++ b/policies/sc-servicecatalog-t2/policy.tf
@@ -31,5 +31,14 @@ data "aws_iam_policy_document" "inline" {
     ]
     resources = ["*"]
   }
+  statement {
+    sid    = "DenyProductUpdates"
+    effect = "Deny"
+    actions = [
+      "servicecatalog:UpdateProvisionedProduct",
+      "servicecatalog:UpdateProvisionedProductProperties",
+    ]
+    resources = ["*"]
+   }
 }