1 Answer
- Newest
- Most votes
- Most comments
0
One way to approach this is to
- Allow all services
- Deny services not on your allow list
So even if there is a new service introduced, say 'waf3', that service will be denied.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsAllActions",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Sid": "DenyNotAllowList",
"Effect": "Deny",
"NotAction": [ "dynamodb:*", "s3:*" ],
"Resource": "*"
}
]
}
The array of services under NotAction are the allowed services.
Relevant content
- asked 10 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hi, thanks for the response, this is a possibility, which I already use, but my main question is not solved. I want to easliy have a list of all API calls for services which are available, so that I can detect waf3 and add it to my allow list, because I want that all waf services are usable as they are available and do not want to wait till somebody tells me: I want to use the new waf, but can't because of the SCP. For all other services I want them not to be automatically usable, so therefore the implicit deny works, but as I stated not for my main question.