I need to prevent AWS users from creating CodeBuild projects without the VPC set.
My organization wants to prohibit creation and running of CodeBuild outside of a VPC. It's is not necessary to name the vpc. If the vpc is set in the project, we're good.
So we need to:
- deny creation of CodeBuild projects outside of vpc.
- deny execution of CodeBuild projects outside of vpc.
I have tried to do this using a Service Control Policy/IAM and it does not seem possible. Does anyone have experience with this?
I tried creating an SCP with a Condition "in VPC". An example was even provided to me by a colleague. I won't share it because it's incorrect.
Unfortunately AWS does not allow us to filter based on arbitrary properties. It has to be a "condition key". The valid Condition Keys for CodeBuild are listed at the bottom of this page. Unfortunately we don't have much to go on. https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodebuild.html
I've already received some suggestions that "should work" but don't. Tested solutions please! Thanks!