-
Hello Guillermo,
We acknowledge this mistake on our part. You’re right. The aws:SourceIp condition key pertains to the requester’s IP address, not the IP address being specified in the security group rule. Unfortunately, there’s no direct condition key for matching the contents of a security group rule to the one the request contains. One workaround to proactively prevent users from messing with inbound rules is by tagging the critical security groups and creating a Deny statement using the aws:ResourceTag. We’ll work on revising the scenario and options as well to rectify this oversight.
Again, we apologize for any confusion that may have been caused.
Please let us know if there’s anything you’d like us to clarify.
Regards,
Carlo @ Tutorials Dojo
