Which solution will meet this requirement with the LEAST operational overhead?
Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic. Deploy the updated rule to the NonProd OU.
Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU.
Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. Apply the SCP to the NonProd OU.
Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.
Explanations:
This option requires deploying and managing a Lambda function in every account, which introduces additional operational overhead. The EventBridge rule and Lambda function setup do not prevent security group creation; they only remediate after the fact.
Thevpc-sg-open-only-to-authorized-portsAWS Config rule only checks for compliance and generates alerts; it does not enforce restrictions on security group creation. It will not prevent the creation of security groups with 0.0.0.0/0.
An SCP with an allow action cannot restrict access, as it only grants permissions. This would not prevent security group rules with 0.0.0.0/0 as the source, making this option ineffective for meeting the requirement.
Configuring an SCP to deny theec2:AuthorizeSecurityGroupIngressaction when the source IP is 0.0.0.0/0 directly blocks the creation of such security group rules. Applying it to the NonProd OU enforces the requirement with minimal overhead.
My best guess is:
Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.
I draft that the answer is:
Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.