0

I need to prevent AWS users from creating CodeBuild projects without the VPC set.

My organization wants to prohibit creation and running of CodeBuild outside of a VPC. It's is not necessary to name the vpc. If the vpc is set in the project, we're good.

So we need to:

  1. deny creation of CodeBuild projects outside of vpc.
  2. deny execution of CodeBuild projects outside of vpc.

I have tried to do this using a Service Control Policy/IAM and it does not seem possible. Does anyone have experience with this?

I tried creating an SCP with a Condition "in VPC". An example was even provided to me by a colleague. I won't share it because it's incorrect.

Unfortunately AWS does not allow us to filter based on arbitrary properties.  It has to be a "condition key".  The valid Condition Keys for CodeBuild are listed at the bottom of this page.  Unfortunately we don't have much to go on.  https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodebuild.html

I've already received some suggestions that "should work" but don't. Tested solutions please! Thanks!

Michael
  • 89
  • 5
  • I'm not aware that what you seek is possible: there is no condition key that allows one to check if the optional parameters to assign a VPC are present. As a partial solution to your problem, have you considered using assigning a role to your Project whose permissions are constrained to a particular `aws:SourceVpc`? – user3553031 Apr 15 '23 at 01:52
  • Thanks, @user3553031, you are correct. It appears that it's not possible to do this in IAM because IAM is not "aware" of the vpcConfg setting in the CodeBuild Project. And no IAM==no SCP. I will resort to an AWS Confg-based approach. Not as ideal since it's reactive vs. proactive, but those are the tools that we have. – Michael Apr 18 '23 at 16:43

0 Answers0