Deny cross account sharing for all AWS services
Is it possible to enforce and prevent the cross account sharing of all AWS services of my account with external accounts? for example, I want to prevent situations where a devops shares access to an S3 bucket to another account, but not just S3 but any AWS services. At first, I thought I could create a resource policy and add resource policies statement with a condition to deny all unless the account id is the one were the service is, but I'd need to add one statement for each AWS services which unreasonable. I also thought that maybe I could get this solved through Control Tower but I'm not familiar with this service. Thank you in advance
I have no idea to prevent it, but have another idea.
IAM Access Analyzer can detect the resources shared to external accounts. It supports the following resources. I think it supports major services have resource-based policy.
IAM Access Analyzer integrates to Security Hub, so you can see the results of IAM Access Analyzer on Security Hub. If use EventBridge Rule, you could receive the result notifications by Email or invoke custom actions by Lambda. This is "Detective Controls".
- Amazon Simple Storage Service buckets
- AWS Identity and Access Management roles
- AWS Key Management Service keys
- AWS Lambda functions and layers
- Amazon Simple Queue Service queues
- AWS Secrets Manager secrets
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
I have not tried this but you should be able to achieve this via a Service Control Policy assigned to the account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "123456789012"
}
}
}
]
}
Relevant questions
Deny cross account sharing for all AWS services
asked a month agoCross account access from Athena to S3
Accepted Answerasked 3 years agoTransit Gateway shared with AWS Resource Access Manager (AWS RAM) identify all accounts as external
Accepted Answerasked 3 years agoCan I create a child AWS account and prevent the master from accessing it?
Accepted Answerasked 3 years agoCross-account cross-region in cloudwatch for specific log group
asked 7 months agoimagebuilder cross account distribution error
asked 4 days agoAmazon Aurora cross-account and cross-region backup
asked 5 months agoCloudWatch metrics and alarms Cross-account/Cross-Region with CloudFormation
asked 2 months agoTransit Gateway Peering - Cross Accounts Not Sharing Payer ID
Accepted Answerasked 2 years agoCross-Account S3 for dags and Secrets Manager for connections
asked a year ago
Thanks to both of you, I'll try to test both recommendations but the last one looks quite promising, and fits better with what I was looking for.