Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Deny cross account sharing for all AWS services

1

Is it possible to enforce and prevent the cross account sharing of all AWS services of my account with external accounts? for example, I want to prevent situations where a devops shares access to an S3 bucket to another account, but not just S3 but any AWS services. At first, I thought I could create a resource policy and add resource policies statement with a condition to deny all unless the account id is the one were the service is, but I'd need to add one statement for each AWS services which unreasonable. I also thought that maybe I could get this solved through Control Tower but I'm not familiar with this service. Thank you in advance

Argomenti
Sicurezza, identità e conformitàGestione e amministrazione
Tag
Sicurezza, identità e conformitàGestione identità e accesso AWSAWS Control TowerOrganizzazioni AWSCatalogo dei servizi AWS
Lingua
English
rePost-User-8044460
posta 2 anni fa416 visualizzazioni
2 Risposte
1

I have no idea to prevent it, but have another idea.

IAM Access Analyzer can detect the resources shared to external accounts. It supports the following resources. I think it supports major services have resource-based policy.

IAM Access Analyzer integrates to Security Hub, so you can see the results of IAM Access Analyzer on Security Hub. If use EventBridge Rule, you could receive the result notifications by Email or invoke custom actions by Lambda. This is "Detective Controls".

  • Amazon Simple Storage Service buckets
  • AWS Identity and Access Management roles
  • AWS Key Management Service keys
  • AWS Lambda functions and layers
  • Amazon Simple Queue Service queues
  • AWS Secrets Manager secrets

https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

AWS
suzuki
con risposta 2 anni fa
0

I have not tried this but you should be able to achieve this via a Service Control Policy assigned to the account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "*",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalAccount": "123456789012"
        }
      }
    }
  ]
}
profile pictureAWS
ESPERTO
kentrad
con risposta 2 anni fa
  • rePost-User-8044460
    2 anni fa

    Thanks to both of you, I'll try to test both recommendations but the last one looks quite promising, and fits better with what I was looking for.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente