2 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
2
Here is a blog that explains how you can achieve what you are trying to using a Config Rule - https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aws-system-manager/
If you find my answer useful, please accept my answer. Thanks
0
Unfortunately, it is not possible at the moment. Although many different actions, resources, and condition keys are available to be used in IAM, the content of the Security Group is not one of them.
References:
- Supported Services — https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
- Actions, resources, and condition keys for Amazon EC2 — https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
répondu il y a 2 ans
Contenus pertinents
- demandé il y a un an
- demandé il y a 7 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 7 mois
Hi, please test this yourself as well, as i cannot guarantee. But I wanted to do this for a specific group of SGs. I had tested below and it worked. Have not tried a blanket policy for all SGs, but this definitely worked for me.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:ModifySecurityGroupRules", "ec2:CreateSecurityGroup", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "arn:aws:ec2:eu-west-1:123456789111:security-group/sg-.............." ], "Condition": { "StringEquals": { "aws:SecurityGroupRule": [ "fromPort: 22, 3389", "cidrIpv4: 0.0.0.0/0" ] } } } ] }