Prevent CodeBuild projects without VPC

88 Views Asked by At

I need to prevent AWS users from creating CodeBuild projects without the VPC set.

My organization wants to prohibit creation and running of CodeBuild outside of a VPC. It's is not necessary to name the vpc. If the vpc is set in the project, we're good.

So we need to:

  1. deny creation of CodeBuild projects outside of vpc.
  2. deny execution of CodeBuild projects outside of vpc.

I have tried to do this using a Service Control Policy/IAM and it does not seem possible. Does anyone have experience with this?


I tried creating an SCP with a Condition "in VPC". An example was even provided to me by a colleague. I won't share it because it's incorrect.

Unfortunately AWS does not allow us to filter based on arbitrary properties.  It has to be a "condition key".  The valid Condition Keys for CodeBuild are listed at the bottom of this page.  Unfortunately we don't have much to go on.  https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodebuild.html


I've already received some suggestions that "should work" but don't. Tested solutions please! Thanks!

0

There are 0 best solutions below