I have a series of AWS accounts that are under one organizational entity. I want to prevent other users in my accounts from copying or sending data to an account that is not in my organization via HTTP, or FTP. All accounts will have VPCs operating within them, and VPC Peering to connect to other VPCs across accounts. How could I achieve this goal to limit data exfiltration given this setup?
Thank you in advance for your help.
Set up security groups / NACLs that block the relevant ports, and using IAM make sure users don't have rights to modify the firewalls. You might be best off whitelisting only the ports / hosts you need the servers to access. Sometimes that's difficult, for example if you need to contact Windows update there can be a large number of hosts to contact. You should whitelist only the AWS services you want people to access as well, using Service Control Policies, and make sure you give people least privileges to do their job.
However I think you'll find people who want to steal data will find a way. Putting data to S3, Route53 DNS, via one of the many many AWS services, to a server running on a non-standard port, downloading via the console, there are many ways to exfiltrate data. All you can do is make it more difficult, and set up alerts as best you can so you know when it's happening.
You can do something like this:
Remove direct external access from the VPCs. That means no Internet Gateway (IGW) and no route to 0.0.0.0/0.
Communication between VPCs in your accounts either through VPC peering (but that doesn't quite scale beyond a handful of VPCs) or through Transit Gateway. That will allow your VPCs to communicate with each other.
Set up a proxy with URL whitelist (e.g. using squid) and make it the only way out from the VPCs. That way you'll have some control to where the instances can connect.
This brings some complications though - you will have to set proxy for each and every process running on the instances, for example for yum or apt, for Docker, for all the Amazon tools like Systems Manager Agent, and in fact for access to all AWS services.
Furthermore some AWS services don't work through proxy - e.g. Fargate - and you will have to provide VPC Endpoints for them. Some others don't even have endpoints and you still have to give them direct external access - e.g. ALB with Cognito authentication.
Removing direct external access brings a lot of complications but somewhat achieves what you want. Some of our customers do it. The trouble is that creative people can still find their way around so the question is if it's worth it.
Hope that helps :)
