policy_sentry
policy_sentry copied to clipboard
salesforce
Contributors welcome for feature idea - support Conditions that force credentials to be used within a VPC
I've avoided conditions this far to avoid complication and I think that was the right decision. But it would make sense to make an exception for a few specific cases if it was user friendly enough. Specifically, a user-friendly way to set a few select conditions that force credentials to be used within a VPC - aws:SourceIp, aws:ViaAWSService, and aws:SourceVpc. Note how they are written in an SCP in this blog post: https://awsteele.com/blog/2022/01/02/shared-vpcs-are-underrated.html. I'd be open to that for identity based policies.
So, a user would supply the values that get plugged into those conditions in the policy below in their YAML file, and it would just add 1-2 "Deny" statements after the other statements.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyFromOutsideVpcUsingEndpoints",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:ViaAWSService": "false"
},
"Null": {
"aws:SourceIp": "true"
},
"StringNotEquals": {
"aws:SourceVpc": "vpc-08abc123"
}
}
},
{
"Sid": "DenyFromOutsideVpcNotUsingEndpoints",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:ViaAWSService": "false"
},
"Null": {
"aws:SourceVpc": "true"
},
"NotIpAddress": {
"aws:SourceIp": ["1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32"]
}
}
}
]
}
If anyone thinks this is a good idea (or a bad idea!), feel free to vote on it and/or chime in!
