By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post
/Blocking SG Rule/

Blocking SG Rule

0

Is it possible to have a rule like a SCP rule to block people adding route 0.0.0.0/0 in SGs in an AWS Organization?

  • Ayse Vlok a month ago

    Hi, please test this yourself as well, as i cannot guarantee. But I wanted to do this for a specific group of SGs. I had tested below and it worked. Have not tried a blanket policy for all SGs, but this definitely worked for me.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:ModifySecurityGroupRules", "ec2:CreateSecurityGroup", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "arn:aws:ec2:eu-west-1:123456789111:security-group/sg-.............." ], "Condition": { "StringEquals": { "aws:SecurityGroupRule": [ "fromPort: 22, 3389", "cidrIpv4: 0.0.0.0/0" ] } } } ] }

Topics
Management & GovernanceSecurity Identity & Compliance
Tags
AWS OrganizationsIAM Policies
SSHOAIB
asked a month ago60 views
2 Answers
2

Here is a blog that explains how you can achieve what you are trying to using a Config Rule - https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aws-system-manager/

If you find my answer useful, please accept my answer. Thanks

profile picture
EXPERT
Indranil Banerjee AWS
answered a month ago
0

Unfortunately, it is not possible at the moment. Although many different actions, resources, and condition keys are available to be used in IAM, the content of the Security Group is not one of them.

References:

vasylenko
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant questions