By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Deny cross account sharing for all AWS services

1

Is it possible to enforce and prevent the cross account sharing of all AWS services of my account with external accounts? for example, I want to prevent situations where a devops shares access to an S3 bucket to another account, but not just S3 but any AWS services. At first, I thought I could create a resource policy and add resource policies statement with a condition to deny all unless the account id is the one were the service is, but I'd need to add one statement for each AWS services which unreasonable. I also thought that maybe I could get this solved through Control Tower but I'm not familiar with this service. Thank you in advance

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Control TowerAWS OrganizationsAWS Service Catalog
Language
English
rePost-User-8044460
asked 2 years ago403 views
2 Answers
1

I have no idea to prevent it, but have another idea.

IAM Access Analyzer can detect the resources shared to external accounts. It supports the following resources. I think it supports major services have resource-based policy.

IAM Access Analyzer integrates to Security Hub, so you can see the results of IAM Access Analyzer on Security Hub. If use EventBridge Rule, you could receive the result notifications by Email or invoke custom actions by Lambda. This is "Detective Controls".

  • Amazon Simple Storage Service buckets
  • AWS Identity and Access Management roles
  • AWS Key Management Service keys
  • AWS Lambda functions and layers
  • Amazon Simple Queue Service queues
  • AWS Secrets Manager secrets

https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

AWS
suzuki
answered 2 years ago
0

I have not tried this but you should be able to achieve this via a Service Control Policy assigned to the account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "*",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalAccount": "123456789012"
        }
      }
    }
  ]
}
profile pictureAWS
EXPERT
kentrad
answered 2 years ago
  • rePost-User-8044460
    2 years ago

    Thanks to both of you, I'll try to test both recommendations but the last one looks quite promising, and fits better with what I was looking for.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content