- 최신
- 최다 투표
- 가장 많은 댓글
I have no idea to prevent it, but have another idea.
IAM Access Analyzer can detect the resources shared to external accounts. It supports the following resources. I think it supports major services have resource-based policy.
IAM Access Analyzer integrates to Security Hub, so you can see the results of IAM Access Analyzer on Security Hub. If use EventBridge Rule, you could receive the result notifications by Email or invoke custom actions by Lambda. This is "Detective Controls".
- Amazon Simple Storage Service buckets
- AWS Identity and Access Management roles
- AWS Key Management Service keys
- AWS Lambda functions and layers
- Amazon Simple Queue Service queues
- AWS Secrets Manager secrets
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
I have not tried this but you should be able to achieve this via a Service Control Policy assigned to the account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "123456789012"
}
}
}
]
}
Thanks to both of you, I'll try to test both recommendations but the last one looks quite promising, and fits better with what I was looking for.