Amazon web services AWS服务控制策略防止在VPN环境中打开Internet连接_Amazon Web Services_Aws Vpc_Aws Organizations

Amazon web services AWS服务控制策略防止在VPN环境中打开Internet连接

amazon-web-services

Amazon web services AWS服务控制策略防止在VPN环境中打开Internet连接,amazon-web-services,aws-vpc,aws-organizations,Amazon Web Services,Aws Vpc,Aws Organizations,我们有多个aws子账户，它们位于一个账单账户（组织）下。由于这些帐户是通过vpn连接到我们的私有云的，我想防止开发者在默认情况下打开互联网端口。是否有一个好的默认策略来防止最基本的东西会导致安全问题，而不会对开发人员造成太多限制？基本上，应该允许启动和停止里面的东西，但我们应该确保他们不能打开可能会给我们的私有云带来安全问题的东西。我只是快速浏览了一些设置并提出了这个政策，但是我想听听还有没有更多的考虑，或者已经有很好的例子了。 { "Version": "2012-10-17",

我们有多个aws子账户，它们位于一个账单账户（组织）下。由于这些帐户是通过vpn连接到我们的私有云的，我想防止开发者在默认情况下打开互联网端口。是否有一个好的默认策略来防止最基本的东西会导致安全问题，而不会对开发人员造成太多限制？基本上，应该允许启动和停止里面的东西，但我们应该确保他们不能打开可能会给我们的私有云带来安全问题的东西。我只是快速浏览了一些设置并提出了这个政策，但是我想听听还有没有更多的考虑，或者已经有很好的例子了。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "aws-portal:ModifyAccount",
                "aws-portal:ModifyBilling",
                "aws-portal:ModifyPaymentMethods"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "budgets:ModifyBudget"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "directconnect:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "cur:DeleteReportDefinition"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "organizations:CreateAccount",
                "organizations:CreateOrganization",
                "organizations:CreateOrganizationalUnit",
                "organizations:DeleteOrganization",
                "organizations:DeleteOrganizationalUnit",
                "organizations:DeletePolicy",
                "organizations:DisablePolicyType",
                "organizations:InviteAccountToOrganization",
                "organizations:LeaveOrganization",
                "organizations:MoveAccount",
                "organizations:RemoveAccountFromOrganization",
                "organizations:UpdateOrganizationalUnit",
                "organizations:UpdatePolicy"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:AttachInternetGateway",
                "ec2:CreateInternetGateway",
                "ec2:DeleteInternetGateway",
                "ec2:DetachInternetGateway"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:AttachVpnGateway",
                "ec2:CreateVpnConnection",
                "ec2:CreateVpnConnectionRoute",
                "ec2:CreateVpnGateway",
                "ec2:DeleteVpnConnection",
                "ec2:DeleteVpnConnectionRoute",
                "ec2:DeleteVpnGateway",
                "ec2:DetachVpnGateway"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}