Restrict outbound network for accounts in my AWS organizations using SCP

0

I want to implement SCPs to restrict AWS accounts linked to my AWS Organization from making outbound calls. The outbound calls should only be restricted to a specific set of websites. I need guidance on how to set this up on my AS account

My use case is detailed below -

I have 10 individual AWS accounts linked to my AWS Organization for billing purposes. All of the 10 AWS accounts can create EC2 resources to deploy their LLM web applications. Given the task is for the 10 users to implement a LLM web service, I want to avoid a scenario where one of the users invokes a OpenAI API for prediction or inference. Therefore, I want to restrict outbound traffic to OpenAI and similar websites.

I would like to setup this restriction at an organization level so that it applies to all the accounts added to my org.

2 Answers
2

Hello.

I don't think you can use the SCP feature of AWS Organizations for the purpose of managing normal communication traffic.
SCP is used to restrict the use of AWS APIs (such as creating EC2 instances or S3 buckets) within an AWS account.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren't available if your organization has enabled only the consolidated billing features. For instructions on enabling SCPs, see Enabling a policy type.

If you want to manage communication traffic from EC2, I think it is better to use something like AWS Network Firewall.
By using the configuration using TransitGateway introduced in the AWS blog below, it is also possible to centrally manage internet connections from VPCs in multiple accounts and route them through AWS Network Firewall.
https://docs.aws.amazon.com/vpc/latest/userguide/network-firewall.html
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

profile picture
EXPERT
answered 2 months ago
EXPERT
reviewed 2 months ago
0

+1 on the response above! Entirely agree. I've spent a lot of time working with ANFW (AWS network firewall), and it can be complex to setup, adds some cost - but very good for egress traffic restriction.

Simpler way (use case dependent), is to use NACLs on the subnets, where the compute lives. Keep in mind NACLs are stateless, so any allowed egress traffic must be explicitly defined for return traffic, typically via ephemeral ports. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

Security Groups (SGs) can't deny traffic, but they can restrict what is allowed, as an additional layer (compensating control) to NACLs - but they live on the ENI level, not the subnet level.

Lastly, as of earlier this year (https://aws.amazon.com/about-aws/whats-new/2024/04/aws-firewall-manager-central-deployment-management-vpc-nacls/) AWS Firewall Manager supports policies for NACLs. So you can create a policy - then ship it out to the rest of the VPCs/subnets.

I think for 10 accounts, and an allow-list approach, NACLs can do what you need - then evolve into ANFW.

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions