- Newest
- Most votes
- Most comments
I have no idea to prevent it, but have another idea.
IAM Access Analyzer can detect the resources shared to external accounts. It supports the following resources. I think it supports major services have resource-based policy.
IAM Access Analyzer integrates to Security Hub, so you can see the results of IAM Access Analyzer on Security Hub. If use EventBridge Rule, you could receive the result notifications by Email or invoke custom actions by Lambda. This is "Detective Controls".
- Amazon Simple Storage Service buckets
- AWS Identity and Access Management roles
- AWS Key Management Service keys
- AWS Lambda functions and layers
- Amazon Simple Queue Service queues
- AWS Secrets Manager secrets
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
I have not tried this but you should be able to achieve this via a Service Control Policy assigned to the account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "123456789012"
}
}
}
]
}
Relevant content
- asked 4 months ago
- asked a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks to both of you, I'll try to test both recommendations but the last one looks quite promising, and fits better with what I was looking for.