search

aws-samples / data-perimeter-policy-examples

Example policies demonstrating how to implement a data perimeter on AWS.
Other
116 stars 16 forks source link

Add ec2 vpc endpoint policy for AWS resources #8

Closed cjsrkd3321 closed 3 months ago

cjsrkd3321 commented 1 year ago

Issue #, if available: Default endpoint policy couldn't accept ec2:GetManagedPrefixList API for getting AWS owned resources.

Description of changes: So, we need new endpoint policy sample for EC2.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

liwadman commented 1 year ago

Hello, I've looked into this.

It seems like there is some inconsistent 'ownership' set of managed prefix lists, in some cases the list is 'owned' by customers AWS accounts, and others they're owned by AWS services - so for some managed prefix lists, having a guardrail with aws:ResourceOrgId enforcing communication with only resources of the same org does not authorize the get managed prefix list operations.

I'm escalating this internally for comment, for now we are not going to merge this request, but may do so later depending on what we determine the correct behavior should be.

This policy statement to allow the EC2 actions is not constrained with aws:PrincipalOrgId and allows any IAM principal to make that request. To help minimize the risk of cross org communication, I would recommend having that allow be conditional with aws:PrincipalOrgId.

cjsrkd3321 commented 1 year ago

Hello! You're right. I couldn't think about that. Thank you.

liwadman commented 1 year ago

I just wanted to let you know we are still working on this with the Ec2 team - you are not forgotten :)

cjsrkd3321 commented 11 months ago

Hello! I just added a new statement for using external(like marketplace) AMI. Please check my new commit.

Thank you.

liwadman commented 3 months ago

Hello - sorry for the long time between comments, but I know the EC2 service team has reached out. We've made changes to the managed prefix list authorization such that it should now work nicely with these policies as is.

As well, we're going to keep marketplace AMI's denied by default in this policy as we've gotten feedback from customers that they do not want the market AMI's accessible by default with data perimeters, and would prefer to deny by default and then grant exceptions.

Thank you for raising this issue, as it ultimately lead to an improved data perimeter experience for all our customers. Please never hesitate to open more!