SCP for Route53

0

Dear Team - i want to create Amazon SCP - service control policy to block creation of private hosted zone with certain domain name.... I tried with below but not working and getting syntax error. Can anyone help

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPHZ", "Effect": "Deny", "Action": "route53:CreateHostedZone", "Resource": "", "Condition": { "StringEquals": { "route53:VPCs": [ "VPCId=" ] }, "StringLike": { "route53:Name": ["*.example.internal"] } } } ] }

1 Answer
1
Accepted Answer

That isn't possible, unfortunately. The IAM authorisation model doesn't permit inspecting all the parameters that are passed to API calls. Instead, only the specific aspects and attributes of an operation that are supported for inspection in the context of an operation are evaluated against the configured IAM policies. Authorisation checks also and the "Action" values in policies don't always map 1:1 to APIs, so it would be complex to make all the API parameters available even in theory.

The supported actions and condition keys are documented in the AWS Service Authorization Reference. For CreateHostedZone, the actions table https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html#amazonroute53-actions-as-permissions shows that there are no operation-specific condition keys, such as the name of the zone, available for evaluation.

EXPERT
answered 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago
  • A better way to do this might be to use Config Rules to check for the existence of specific hosted zones and then perform a remediation task.

  • I'd argue it's best to enforce access restrictions when it's possible. It actively signals to anyone attempting to violate rules that they are doing so and prevents a noncompliant situation from being created. If the violation is first permitted and later remedied, it may take time to become known to the originator of the problem, it will put CFN stacks in a drifted state, Terraform would recreate the same problem when deployed again, etc. Simply blocking undesired actions avoids all those issues, but in this case, blocking the action is unfortunately impossible.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions