Policy: AWS > VPC > Security Group > Ingress Rules > Approved > Rules
An Object Control List (OCL) with a list of filter rules to approve or reject security group rules.
Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules
. The rules are processed in order, and any built-in Turbot rules will appear first in the list of compiled rules.
Examples: Allow HTTP and HTTPS rules for RFC1918 private space APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Allow all rules from security groups in this account APPROVE $.UserIdGroupPairs.+.UserId:"969297701313"<br /><br /> Reject any rule from 0.0.0.0/0 REJECT $.turbot.cidr:0.0.0.0/0
Resource Types
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Controls
Policy Packs
This policy setting is used by the following policy packs:
- AWS CIS v3.0.0 - Section 5 - Networking
- Enforce Block Public Access for AWS VPC Security Groups
- Enforce AWS VPC Default Security Groups Deny All Traffic
- Enforce Unapproved Traffic is Blocked for AWS VPC Security Groups
Policy Specification
Schema Type |
|
---|---|
Default |
|
Category
In Your Workspace
Developers
- tmod:@turbot/turbot#/control/categories/resourceApproved
- tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules
- turbot graphql policy-type --id "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules"
Get Policy TypeGet Policy Settings