This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martins
Contributor
‎2020-04-29 07:16 AM

Can I use Dome9 to block the access to the cloud accounts?

Hi,
Can I use Dome9 to block the access to the cloud accounts?

The ideia is just alow the access from the specifics ips.

Thank you.

0 Kudos
4 Replies
Marina_Segal
Employee Alumnus
Employee Alumnus
‎2020-05-01 07:49 AM

Hello,
You can use Dome9 Full Protection mode to achieve it. AWS Security Group can be managed directly from Dome9 and attempts to modify a security group from the AWS/Azure environment will be detected by Dome9 and will trigger Tamper Protection and can also send an alert/notification. Dome9 will override the change that was made, and revert it back to the definition of the Security Group defined in Dome9.
https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Network-Security/FullProtectionM...
Marina
Martins
Contributor
‎2020-05-01 09:36 AM
In response to Marina_Segal

Hi Marina,

Let me be more specific.

Can I block the access to AWS console with Dome9 and alow just to specifics IPs?

Thank you very much. 

 

0 Kudos
dome9tom
Employee
Employee
‎2020-05-01 10:22 AM
In response to Martins

Hi Martins,

If you use the AWS-native, IAM policy-based access control mechanism described here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

...then you can use the Dome9 Compliance Engine to continuously assure that that cloud-native access control is properly configured, using a GSL Rule with the following form:

IamUser should have combinedPolicies contain [ policyDocument.Statement contain [ Effect='Deny' and Action='*' and Resource='*' and Condition.ForAllValues:NotIpAddress.aws:SourceIp contain-all [ $ in('aaa.bbb.ccc.ddd/32','eee.fff.ggg.hhh/32','iii.jjj.kkk.lll/32','mmm.nnn.ooo.ppp/32') ] ] ]
Eyal_Fingold
Employee Alumnus
Employee Alumnus
‎2020-05-01 02:08 PM
In response to dome9tom

You can actually use this policy with IAM-Safety module in dome9.

https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/IAM-Safety/IAMSafety.html

So, if you use the deny policy within the restricted policy and apply to users, enable the permission but it will verify that all users are in a group enforcing to use form the IPs you choose to enable.

"Ideas are worthless without execution."
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events