1 Answer
- Newest
- Most votes
- Most comments
2
There is no condition on a IAM statement where you can reference the destination of an ingress rule. You can do a DETECTIVE control via AWS Config as Chris_G said in the comment. See:How to auto-remediate internet accessible ports with AWS Config and AWS Systems Manager
Maybe another way to approach this, depending on what you are trying to achieve, is to create a SCP that denies the CreateInternetGateway and AttachInternetGateway EC2 operations.
Relevant content
- Accepted Answerasked 5 months ago
- asked 7 months ago
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
The first thing that comes to mind is using AWS Config with a Custom Rule built on a Lambda function, but I don't think this is the only way so I'm not writing this as an answer.