我们有多个 aws 子帐户,它们位于一个计费帐户(组织)下。由于这些帐户通过 vpn 连接到我们的私有云,我希望阻止开发人员默认打开互联网端口。是否有一个很好的默认策略来防止大多数基本的东西,这些东西可能会导致安全问题,而不会对开发人员造成太多限制?基本上应该允许启动和停止里面的东西,但我们应该确保他们不能打开可能给我们的私有云带来安全问题的东西。我只是快速浏览了一些设置并提出了这个政策,但我想知道是否还有更多需要考虑的地方,或者是否已经有很好的例子。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"aws-portal:ModifyAccount",
"aws-portal:ModifyBilling",
"aws-portal:ModifyPaymentMethods"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"budgets:ModifyBudget"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"directconnect:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"cur:DeleteReportDefinition"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"organizations:CreateAccount",
"organizations:CreateOrganization",
"organizations:CreateOrganizationalUnit",
"organizations:DeleteOrganization",
"organizations:DeleteOrganizationalUnit",
"organizations:DeletePolicy",
"organizations:DisablePolicyType",
"organizations:InviteAccountToOrganization",
"organizations:LeaveOrganization",
"organizations:MoveAccount",
"organizations:RemoveAccountFromOrganization",
"organizations:UpdateOrganizationalUnit",
"organizations:UpdatePolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"ec2:AttachVpnGateway",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DetachVpnGateway"
],
"Resource": [
"*"
]
}
]
}