Adding Glue-specific network perimeter SCP

tatyatsk · tatyatsk · commit 20f7bd2bbbe4 · 2025-07-07T16:26:22.000-04:00
diff --git a/service_control_policies/service_specific_controls/README.md b/service_control_policies/service_specific_controls/README.md
@@ -11,6 +11,7 @@ Use the following example SCPs individually or in combination:
 * [network_perimeter_ec2_scp](network_perimeter_ec2_scp.json) – Enforces network perimeter controls on service roles used by Amazon EC2 instances.
 * [network_perimeter_iam_users_scp](network_perimeter_iam_users_scp.json) - Enforces network perimeter controls on IAM users with long-term access keys.
 * [network_perimeter_lambda_scp](network_perimeter_lambda_scp.json) - Enforces network perimeter controls on service roles used by AWS Lambda.
+* [network_perimeter_glue_scp](network_perimeter_glue_scp.json) - Enforces network perimeter controls on service roles used by AWS Glue jobs.
 * [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) - Enforces deployment of resources in a customer managed Amazon VPC.
 * [restrict_idp_configurations_scp](restrict_idp_configurations_scp.json) - Restricts the ability to make configuration changes to the IAM SAML identity providers.
 * [restrict_untrusted_endpoints_scp](restrict_untrusted_endpoints_scp.json) - Prevent untrusted non-AWS resources from being configured as targets for service operations.
@@ -66,6 +67,16 @@ This policy statement is included in the [network_perimeter_lambda_scp](/service
 
 The [` lambda:SourceFunctionArn `](https://docs.aws.amazon.com/lambda/latest/dg/permissions-source-function-arn.html) condition key is used to target role sessions that are created for your function's execution environment.
 
+### "Sid":"EnforceNetworkPerimeterOnGlueRoles"
+
+This policy statement is included in the [network_perimeter_glue_scp](/service_control_policies/service_specific_controls/network_perimeter_glue_scp.json) and limits access to expected networks for service roles used by AWS Glue jobs. Expected networks are defined as follows:
+*   Your on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (`<my-corporate-cidr>`) in the policy statement.
+*   Your organization’s VPCs that are specified by VPC IDs (`<my-vpc>`) in the policy statement.
+*   Networks of AWS services that use [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to access resources on your behalf as denoted by `aws:ViaAWSService` in the policy statement. This access pattern applies when you access data via an AWS service, and that service takes subsequent actions on your behalf by using your IAM credentials.
+*   AWS Glue networks when the service interacts with [CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html), as denoted by the `NotAction` element with the actions `logs:CreateLogGroup`,`logs:CreateLogStream`,`logs:PutLogEvents`.
+
+The [`glue:CredentialIssuingService`](https://docs.aws.amazon.com/glue/latest/dg/security_iam_id-based-policy-examples.html#glue-identity-based-policy-context-key-glue) condition key is used to target role sessions that are created for your job's execution environment.
+
 ### "Sid":"PreventIdPTrustModifications"
 
 This statement is included in the [restrict_idp_configurations_scp](restrict_idp_configurations_scp.json) and prevents users from making configuration changes to the IAM SAML [identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html), IAM OIDC [identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html), and [AWS IAM Roles Anywhere](https://aws.amazon.com/iam/roles-anywhere/) [trust anchors](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/getting-started.html). It also prevents creation of an [account instance of IAM Identity Center]( https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html).  
diff --git a/service_control_policies/service_specific_controls/network_perimeter_glue_scp.json b/service_control_policies/service_specific_controls/network_perimeter_glue_scp.json
@@ -0,0 +1,44 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "EnforceNetworkPerimeterOnGlueRoles",
+            "Effect": "Deny",
+            "NotAction": [
+                "es:ES*", 
+                "dax:GetItem", 
+                "dax:BatchGetItem",
+                "dax:Query",
+                "dax:Scan",
+                "dax:PutItem",
+                "dax:UpdateItem",
+                "dax:DeleteItem",
+                "dax:BatchWriteItem",
+                "dax:ConditionCheckItem",
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "BoolIfExists": {
+                    "aws:ViaAWSService": "false"
+                },
+                "NotIpAddressIfExists": {
+                    "aws:SourceIp": [
+                        "<my-corporate-cidr>"
+                    ]
+                },
+                "StringNotEqualsIfExists": {
+                    "aws:PrincipalTag/dp:exclude:network": "true",
+                    "aws:SourceVpc": [
+                        "<my-vpc>"
+                    ]
+                },
+                "Null": {
+                    "glue:CredentialIssuingService": "false"
+                }
+            }
+        }
+    ]
+}
