VPC Network Admin Role Only

• Policy JSON
• Policy Breakdown
  • Version
  • Statement
    • Effect
    • Action
    • Resource
    • Condition
• Usage
  • When to Use
  • Benefits
  • Potential Drawbacks
• Customization
  • Modifying the Administrator Role
  • Adjusting Actions
  • Resource Specification
• Sources

This AWS Service Control Policy (SCP) is designed to deny a broad range of EC2 network management actions unless the actions are performed by a specified IAM role, typically a network administrator role. The policy aims to restrict the ability to create, modify, or delete key network resources, thereby enhancing security and reducing the risk of accidental or unauthorized changes.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:AcceptTransitGatewayMulticastDomainAssociations",
        "ec2:AcceptTransitGatewayPeeringAttachment",
        "ec2:AcceptTransitGatewayVpcAttachment",
        "ec2:AcceptVpcEndpointConnections",
        "ec2:AcceptVpcPeeringConnection",
        "ec2:AssociateRouteTable",
        "ec2:AssociateSubnetCidrBlock",
        "ec2:AssociateTransitGatewayMulticastDomain",
        "ec2:AssociateTransitGatewayRouteTable",
        "ec2:AssociateVpcCidrBlock",
        "ec2:AttachClassicLinkVpc",
        "ec2:AttachInternetGateway",
        "ec2:AttachVpnGateway",
        "ec2:CreateCarrierGateway",
        "ec2:CreateClientVpnEndpoint",
        "ec2:CreateClientVpnRoute",
        "ec2:CreateCustomerGateway",
        "ec2:CreateDefaultSubnet",
        "ec2:CreateDefaultVpc",
        "ec2:CreateDhcpOptions",
        "ec2:CreateEgressOnlyInternetGateway",
        "ec2:CreateInternetGateway",
        "ec2:CreateLocalGatewayRoute",
        "ec2:CreateLocalGatewayRouteTableVpcAssociation",
        "ec2:CreateManagedPrefixList",
        "ec2:CreateNatGateway",
        "ec2:CreateNetworkAcl",
        "ec2:CreateNetworkAclEntry",
        "ec2:CreateNetworkInsightsPath",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSubnet",
        "ec2:CreateTransitGateway",
        "ec2:CreateTransitGatewayConnect",
        "ec2:CreateTransitGatewayConnectPeer",
        "ec2:CreateTransitGatewayMulticastDomain",
        "ec2:CreateTransitGatewayPeeringAttachment",
        "ec2:CreateTransitGatewayPrefixListReference",
        "ec2:CreateTransitGatewayRoute",
        "ec2:CreateTransitGatewayRouteTable",
        "ec2:CreateTransitGatewayVpcAttachment",
        "ec2:CreateVpc",
        "ec2:CreateVpcPeeringConnection",
        "ec2:CreateVpnConnection",
        "ec2:CreateVpnConnectionRoute",
        "ec2:CreateVpnGateway",
        "ec2:DeleteCarrierGateway",
        "ec2:DeleteClientVpnEndpoint",
        "ec2:DeleteClientVpnRoute",
        "ec2:DeleteCustomerGateway",
        "ec2:DeleteDhcpOptions",
        "ec2:DeleteEgressOnlyInternetGateway",
        "ec2:DeleteInternetGateway",
        "ec2:DeleteLocalGatewayRoute",
        "ec2:DeleteLocalGatewayRouteTableVpcAssociation",
        "ec2:DeleteManagedPrefixList",
        "ec2:DeleteNatGateway",
        "ec2:DeleteNetworkAcl",
        "ec2:DeleteNetworkAclEntry",
        "ec2:DeleteNetworkInsightsPath",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSubnet",
        "ec2:DeleteTransitGateway",
        "ec2:DeleteTransitGatewayConnect",
        "ec2:DeleteTransitGatewayConnectPeer",
        "ec2:DeleteTransitGatewayMulticastDomain",
        "ec2:DeleteTransitGatewayPeeringAttachment",
        "ec2:DeleteTransitGatewayPrefixListReference",
        "ec2:DeleteTransitGatewayRoute",
        "ec2:DeleteTransitGatewayRouteTable",
        "ec2:DeleteTransitGatewayVpcAttachment",
        "ec2:DeleteVpc",
        "ec2:DeleteVpcPeeringConnection",
        "ec2:DeleteVpnConnection",
        "ec2:DeleteVpnConnectionRoute",
        "ec2:DeleteVpnGateway",
        "ec2:ModifyClientVpnEndpoint",
        "ec2:ModifyManagedPrefixList",
        "ec2:ModifyTransitGateway",
        "ec2:ModifyTransitGatewayPrefixListReference",
        "ec2:ModifyTransitGatewayVpcAttachment",
        "ec2:ModifyVpcAttribute",
        "ec2:ModifyVpnConnection",
        "ec2:ModifyVpnConnectionOptions",
        "ec2:RejectTransitGatewayMulticastDomainAssociations",
        "ec2:RejectTransitGatewayPeeringAttachment",
        "ec2:RejectTransitGatewayVpcAttachment",
        "ec2:RejectVpcEndpointConnections",
        "ec2:RejectVpcPeeringConnection"
      ],
      "Resource": [
        "arn:*:ec2:*:*:vpc/*",
        "arn:*:ec2:*:*:client-vpn-endpoint/*",
        "arn:*:ec2:*:*:dhcp-options/*",
        "arn:*:ec2:*:*:internet-gateway/*",
        "arn:*:ec2:*:*:route-table/*",
        "arn:*:ec2:*:*:subnet/*",
        "arn:*:ec2:*:*:transit-gateway-attachment/*",
        "arn:*:ec2:*:*:transit-gateway-multicast-domain/*",
        "arn:*:ec2:*:*:transit-gateway-route-table/*",
        "arn:*:ec2:*:*:vpc-peering-connection/*",
        "arn:*:ec2:*:*:vpc-gateway/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": ["arn:*:iam::*:role/NAME_OF_YOUR_NETWORK_ADMIN_ROLE"]
        }
      }
    }
  ]
}

Policy Breakdown

Version

• "Version": "2012-10-17": This defines the version of the policy language.

Statement

• The Statement array contains a single statement.

Effect

• "Effect": "Deny": This indicates that the specified actions are denied.

Action

• "Action": Lists all the EC2 actions that are denied. These actions primarily involve creating, modifying, and deleting various network resources.

Resource

• "Resource": Specifies the ARNs of the resources to which the policy applies. It includes VPCs, client VPN endpoints, DHCP options, internet gateways, route tables, subnets, transit gateway attachments, transit gateway multicast domains, transit gateway route tables, VPC peering connections, and VPC gateways.

Condition

• "Condition": Specifies a condition under which the deny effect does not apply.
  • "StringNotLike": Ensures that the policy denies actions unless they are performed by the IAM role specified in "aws:PrincipalArn".
  • ["arn:*:iam::*:role/NAME_OF_YOUR_NETWORK_ADMIN_ROLE"]: Replace NAME_OF_YOUR_NETWORK_ADMIN_ROLE with the actual name of your network administrator role.

Usage

When to Use

• Restricting Network Changes: Use this policy to ensure that only designated network administrators can make changes to critical network resources in your AWS environment.
• Preventing Unauthorized Actions: This policy helps prevent unauthorized or accidental modifications that could disrupt network connectivity or security.

Benefits

• Enhanced Security: Limits the ability to make network changes to a specific role, reducing the risk of misconfiguration.
• Control and Governance: Helps enforce organizational policies by controlling who can perform critical network actions.

Potential Drawbacks

• Operational Overhead: If the network administrator role is unavailable, necessary network changes could be delayed.
• Complexity in Role Management: Ensuring the correct role has the necessary permissions might require additional management effort.

Customization

Modifying the Administrator Role

Replace NAME_OF_YOUR_NETWORK_ADMIN_ROLE in the aws:PrincipalArn condition with the ARN of your network administrator role.

Adjusting Actions

If there are additional actions you want to include or exclude, modify the Action array accordingly.

Resource Specification

Ensure the Resource ARNs match the resources you want to protect. You can adjust these as needed to include specific regions or resource types.

By applying this policy, you can safeguard your AWS network infrastructure and ensure that only authorized personnel can make significant changes.

Sources

• PrimeHarbor primeharbor