- Newest
- Most votes
- Most comments
Hello.
I don't think you can use the SCP feature of AWS Organizations for the purpose of managing normal communication traffic.
SCP is used to restrict the use of AWS APIs (such as creating EC2 instances or S3 buckets) within an AWS account.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren't available if your organization has enabled only the consolidated billing features. For instructions on enabling SCPs, see Enabling a policy type.
If you want to manage communication traffic from EC2, I think it is better to use something like AWS Network Firewall.
By using the configuration using TransitGateway introduced in the AWS blog below, it is also possible to centrally manage internet connections from VPCs in multiple accounts and route them through AWS Network Firewall.
https://docs.aws.amazon.com/vpc/latest/userguide/network-firewall.html
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
+1 on the response above! Entirely agree. I've spent a lot of time working with ANFW (AWS network firewall), and it can be complex to setup, adds some cost - but very good for egress traffic restriction.
Simpler way (use case dependent), is to use NACLs on the subnets, where the compute lives. Keep in mind NACLs are stateless, so any allowed egress traffic must be explicitly defined for return traffic, typically via ephemeral ports. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Security Groups (SGs) can't deny traffic, but they can restrict what is allowed, as an additional layer (compensating control) to NACLs - but they live on the ENI level, not the subnet level.
Lastly, as of earlier this year (https://aws.amazon.com/about-aws/whats-new/2024/04/aws-firewall-manager-central-deployment-management-vpc-nacls/) AWS Firewall Manager supports policies for NACLs. So you can create a policy - then ship it out to the rest of the VPCs/subnets.
I think for 10 accounts, and an allow-list approach, NACLs can do what you need - then evolve into ANFW.
Relevant content
- asked 20 days ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago