增强网络防护边界

EnforceNetworkPerimeter

github:https://github.com/aws-samples/data-perimeter-policy-examples/tree/4bc433ff6c4721049fc2eb542c89246343b5fb8a/resource_control_policies

此策略声明使标记 dp:exclude:network 设置为 true 的身份不受网络边界护栏的保护。 请注意，不建议在策略中使用此例外，除非同时使用 "Sid"： "EnforceOrgIdentities"。 这有助于确保组织机构之外的账户无法使用 dp:exclude:network 标记其身份，从而规避网络边界控制。

预期网络定义如下：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnforceNetworkPerimeter",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:*",
                "sqs:*",
                "kms:*",
                "secretsmanager:*",
                "sts:AssumeRole",
                "sts:DecodeAuthorizationMessage",
                "sts:GetAccessKeyInfo",
                "sts:GetFederationToken",
                "sts:GetServiceBearerToken",
                "sts:GetSessionToken",
                "sts:SetContext"
            ],
            "Resource": "*",
            "Condition": {
                "NotIpAddressIfExists": {
                    "aws:SourceIp": "<my-corporate-cidr>"
                },
                "StringNotEqualsIfExists": {
                    "aws:SourceVpc": "<my-vpc>",
                    "aws:PrincipalTag/dp:exclude:network": "true",
                    "aws:PrincipalAccount": [
                        "<load-balancing-account-id>",
                        "<fin-space-account-id>",
                        "<third-party-account-a>",
                        "<third-party-account-b>"
                    ],
                    "aws:ResourceTag/dp:exclude:network": "true"
                },
                "BoolIfExists": {
                    "aws:PrincipalIsAWSService": "false",
                    "aws:ViaAWSService": "false"
                },
                "ArnNotLikeIfExists": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::*:role/aws:ec2-infrastructure"
                    ]
                },
                "StringEquals": {
                    "aws:PrincipalTag/dp:include:network": "true"
                }
            }
        }
    ]
}