Bonus exam: Restrict 0.0.0.0/0 SG rules

[Guillermo Contreras]

Hello,

I completely disagree with the answer on question 24. The condition aws:SourceIP is only used to allow/deny an API call made from a particular public IP: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip. There is no way to use it to compare it with the parameter send on the API to create/update SG rules. It is pretty clear to me that the person in charge of this question doesn’t have actual hands-on experience with AWS SCP or advanced features of IAM; I haven’t done the test, but I might guess that putting that SCP would actually make the API call unavailable for anyone. Please remove this question from the exam.

• This discussion was modified 4 months, 1 week ago by  Guillermo Contreras.

[Carlo-TutorialsDojo]

Hello Guillermo,

We acknowledge this mistake on our part. You’re right. The aws:SourceIp condition key pertains to the requester’s IP address, not the IP address being specified in the security group rule. Unfortunately, there’s no direct condition key for matching the contents of a security group rule to the one the request contains. One workaround to proactively prevent users from messing with inbound rules is by tagging the critical security groups and creating a Deny statement using the aws:ResourceTag. We’ll work on revising the scenario and options as well to rectify this oversight.

Again, we apologize for any confusion that may have been caused.

Please let us know if there’s anything you’d like us to clarify.

Regards,

Carlo @ Tutorials Dojo