Is it possible to prevent certain security group rules account/org wide?
0
i.e. say I want to prevent 0.0.0.0/0 or some arbitrary IP from ever being applied as a security group rule, is it possible to do this from a an organization/account wide control approach?
asked 4 months ago62 views
1 Answers
1
There is no condition on a IAM statement where you can reference the destination of an ingress rule. You can do a DETECTIVE control via AWS Config as Chris_G said in the comment. See:How to auto-remediate internet accessible ports with AWS Config and AWS Systems Manager
Maybe another way to approach this, depending on what you are trying to achieve, is to create a SCP that denies the CreateInternetGateway and AttachInternetGateway EC2 operations.
Relevant questions
Is it possible to prevent certain security group rules account/org wide?
asked 4 months agoSecurity group doesn't exist but I know it exists
asked 6 months agoDelete EKS Node Group failed due to Security Group Dependency
asked a month agoSecurity group outbound rules for RDS, ElastiCache, EFS
asked 3 months agoinbound rule of security group for EC2 Instance in private subnet
asked 7 months agoWhy is Auto Scaling Group not taking Security Group from Launch Template?
Accepted Answerasked 3 months agoProgrammatically setting Inbound rule of Security group as local IP using CloudFormation
asked 4 months agoMy Network Load Balancer is not enforcing the target Security group
asked 3 years agoCan I set a security group for each workspace that is launched?
asked 3 months agoELB Rule if Host Header is not equal to
asked 3 months ago
The first thing that comes to mind is using AWS Config with a Custom Rule built on a Lambda function, but I don't think this is the only way so I'm not writing this as an answer.