How do I block users from accessing external AWS accounts?
search cancel

How do I block users from accessing external AWS accounts?

book

Article ID: 378544

calendar_today

Updated On:

Products

CASB Gateway Advanced CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

Accessing external AWS accounts could pose a risk. We want to mitigate that risk by not allowing access to external accounts.  

AWS does not currently provide HTTP headers that would only allow certain accounts from our network.

Resolution

Create an Access Enforcement policy to blacklist \ block logins to all accounts with an exception for the internal accounts that should be whitelisted.

There is a beta feature (For Account) that allows your select the internal accounts for the exception.

The select-able account are currently only populated through the Gateway delineation feature which means the gatelet has to have seen the internal account first before all accounts can be blocked. A per-existing block policy may have to be disabled and the internal account may need to login in order for delineation to see the account.

Feature request ISFR-3426 was created to request the ability to add accounts manually.

 

 

 

Powered by Wolken Software