Merge pull request aws-samples#38 from jplock/jp-network-vpce

jplock · web-flow · commit a9eb69addd01 · 2025-08-29T15:09:42.000-04:00
[feat] add EnforceNetworkPerimeter policy for S3
diff --git a/template.yml b/template.yml
@@ -209,6 +209,22 @@ Resources:
                 "aws:ResourceTag/dp:exclude:identity": "true"
               BoolIfExists:
                 "aws:PrincipalIsAWSService": "false"
+          - Sid: EnforceNetworkPerimeter
+            Effect: Deny
+            Principal: "*"
+            Action: "s3:*"
+            Resource: "*"
+            Condition:
+              StringNotEqualsIfExists:
+                "aws:VpceOrgID": !If
+                  - cHasOrganizationId
+                  - !Ref pOrganizationId
+                  - !GetAtt rOrganization.Id
+                "aws:PrincipalTag/dp:exclude:network": "true"
+                "aws:ResourceTag/dp:exclude:network": "true"
+              BoolIfExists:
+                "aws:PrincipalIsAWSService": "false"
+                "aws:ViaAWSService": "false"
           - Sid: EnforceConfusedDeputyProtection
             Effect: Deny
             Principal: "*"
