By using AWS re:Post, you agree to the Terms of Use
/Is it possible to prevent certain security group rules account/org wide?/

Is it possible to prevent certain security group rules account/org wide?


i.e. say I want to prevent or some arbitrary IP from ever being applied as a security group rule, is it possible to do this from a an organization/account wide control approach?

  • The first thing that comes to mind is using AWS Config with a Custom Rule built on a Lambda function, but I don't think this is the only way so I'm not writing this as an answer.

1 Answers

There is no condition on a IAM statement where you can reference the destination of an ingress rule. You can do a DETECTIVE control via AWS Config as Chris_G said in the comment. See:How to auto-remediate internet accessible ports with AWS Config and AWS Systems Manager

Maybe another way to approach this, depending on what you are trying to achieve, is to create a SCP that denies the CreateInternetGateway and AttachInternetGateway EC2 operations.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions