'aws organization SCP policy to deny any ec2 instances in any VPCs with public IPs
With the company compliance policy, I am looking for solution to block the clients (100+ aws accounts) to create ec2 instances with public IPs or try to attach elastic IPs on it after created.
I am thinking to use AWS Organization SCP to implement it, so I don't need set it in individual account. But can't get the proper SCP policy to do it.
A SCP policy for your reference that I can block s3 public access with below policy, I need similar to ec2 instances.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutAccountPublicAccessBlock"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
Idealy, with the proper SCP policy, when client in their account under Orgainzation OU, they can't create ec2 instance if they allow public IP on it, or after created the ec2, when they try to attach elastic IP, the scp should block it.
Updates
Thanks, @john
let me try this policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AssociateAddress"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
update #2
Above scp policy doesn't work, I can still create new instance with public IPs
amazon-web-servicesSolution 1:[1]
Finally I got help from AWS support.
the direction, @john targeting, is partly right, the real scp policy is as below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Condition": {
"BoolIfExists": {
"ec2:AssociatePublicIpAddress": "true"
}
},
"Resource": "arn:aws:ec2:*:*:network-interface/*"
},
{
"Action": [
"ec2:AssociateAddress"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
Explanation
- The first statment blocks the clients to create new ec2 instance with Public IP ( aws ec2 run-instances --associate-public-ip-address xxxx )
- The second statement blocks the clients to attach an EIP to ec2 instances.
UPDATES
This solution is not implemented finally, because it makes too much troubles.
Especially the automation IaC codes need be adjusted for this change, such as Cloudformation, terraform, CDK, etc
Then I give a sample by AWS CLI to explain the change, you have to add --no-associate-public-ip-address
aws ec2 run-instances --image-id ami-0c9f90931dxxxx --count 1 --instance-type t3.micro \
--key-name bill-import-key --no-associate-public-ip-address --subnet-id subnet-0613b48exxxx
Second, when you create ec2 instance from aws console, You have to choice disable at Auto-assign Public IP .
The solution is still the only solution to guarantee no public IP to ec2 instances in whole organisation's aws accounts, but no one likes it.
Solution 2:[2]
To block assignment of an Elastic IP address, you would deny them the ec2:AssociateAddress permission.
I could not find a Condition in Actions, resources, and condition keys for Amazon EC2 - Service Authorization Reference for RunInstances that would limit the associating of a Public IP address when launching an instance (that is, the random one, as opposed to an Elastic IP address).
Solution 3:[3]
The following policy statement will prevent instantiation of EC2 (runInstances) if the user choses to assign public IP. However, for this policy to be effected, the subnets should be configured to NOT assign public IP automatically.
{
"Condition": {
"StringEquals": {
"ec2:AssociatePublicIpAddress": true
}
},
"Action": "ec2:RunInstances",
"Resource": "*",
"Effect": "Deny",
"Sid": ""
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | John Rotenstein |
| Solution 3 | Pal Ramasamy |