Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
Is it possible to prevent certain security group rules account/org wide?
i.e. say I want to prevent 0.0.0.0/0 or some arbitrary IP from ever being applied as a security group rule, is it possible to do this from a an organization/account wide control approach?
- Language
- English
- Newest
- Most votes
- Most comments
There is no condition on a IAM statement where you can reference the destination of an ingress rule. You can do a DETECTIVE control via AWS Config as Chris_G said in the comment. See:How to auto-remediate internet accessible ports with AWS Config and AWS Systems Manager
Maybe another way to approach this, depending on what you are trying to achieve, is to create a SCP that denies the CreateInternetGateway and AttachInternetGateway EC2 operations.
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 8 months ago
The first thing that comes to mind is using AWS Config with a Custom Rule built on a Lambda function, but I don't think this is the only way so I'm not writing this as an answer.