We are building some security boundaries for our internal teams and would like to limit their ability to deploy services in Public Subnets. I can build a boundary policy for EC2 not to be deployed in public subnets but this only covers EC2 service. Is there a way to block all services, existing or future, from being deployed in a specific subnet?
Asked
Active
Viewed 189 times
1 Answers
1
Pretty much every resource needs an ENI - Elastic Network Interface. Therefore can try to restrict ENI creation in your public subnets. That will cover EC2, RDS, Fargate, VPC-Lambda, ELB/ALB, etc. Not sure if it's possible to create an IAM policy like that, I haven't tried.
In any case AWS Config will notice when a new ENI has been created and you can act upon that. Check out Use AWS Config Rules to Automatically Remediate Non-compliant Resources.
Hope that helps :)
MLu
- 24,849
- 5
- 59
- 86
-
Thank you , I will check it out! – Sergei Nov 03 '19 at 23:11