使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Is it possible to prevent certain security group rules account/org wide?

0

i.e. say I want to prevent 0.0.0.0/0 or some arbitrary IP from ever being applied as a security group rule, is it possible to do this from a an organization/account wide control approach?

  • Chris_G 专家
    2 年前

    The first thing that comes to mind is using AWS Config with a Custom Rule built on a Lambda function, but I don't think this is the only way so I'm not writing this as an answer.

主题
网络和内容交付管理与治理
标签
亚马逊 VPCAWS Config网络和内容交付AWS Organizations安全组
语言
English
AWSKid2k
已提问 2 年前2801 查看次数
1 回答
2
已接受的回答

There is no condition on a IAM statement where you can reference the destination of an ingress rule. You can do a DETECTIVE control via AWS Config as Chris_G said in the comment. See:How to auto-remediate internet accessible ports with AWS Config and AWS Systems Manager

Maybe another way to approach this, depending on what you are trying to achieve, is to create a SCP that denies the CreateInternetGateway and AttachInternetGateway EC2 operations.

profile pictureAWS
专家
kentrad
已回答 2 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容