- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CNAPP
- :
- Can I use Dome9 to block the access to the cloud a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I use Dome9 to block the access to the cloud accounts?
Hi,
Can I use Dome9 to block the access to the cloud accounts?
The ideia is just alow the access from the specifics ips.
Thank you.
4 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can use Dome9 Full Protection mode to achieve it. AWS Security Group can be managed directly from Dome9 and attempts to modify a security group from the AWS/Azure environment will be detected by Dome9 and will trigger Tamper Protection and can also send an alert/notification. Dome9 will override the change that was made, and revert it back to the definition of the Security Group defined in Dome9.
https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Network-Security/FullProtectionM...
You can use Dome9 Full Protection mode to achieve it. AWS Security Group can be managed directly from Dome9 and attempts to modify a security group from the AWS/Azure environment will be detected by Dome9 and will trigger Tamper Protection and can also send an alert/notification. Dome9 will override the change that was made, and revert it back to the definition of the Security Group defined in Dome9.
https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Network-Security/FullProtectionM...
Marina
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Marina,
Let me be more specific.
Can I block the access to AWS console with Dome9 and alow just to specifics IPs?
Thank you very much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martins,
If you use the AWS-native, IAM policy-based access control mechanism described here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
...then you can use the Dome9 Compliance Engine to continuously assure that that cloud-native access control is properly configured, using a GSL Rule with the following form:
IamUser should have combinedPolicies contain [ policyDocument.Statement contain [ Effect='Deny' and Action='*' and Resource='*' and Condition.ForAllValues:NotIpAddress.aws:SourceIp contain-all [ $ in('aaa.bbb.ccc.ddd/32','eee.fff.ggg.hhh/32','iii.jjj.kkk.lll/32','mmm.nnn.ooo.ppp/32') ] ] ]
If you use the AWS-native, IAM policy-based access control mechanism described here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
...then you can use the Dome9 Compliance Engine to continuously assure that that cloud-native access control is properly configured, using a GSL Rule with the following form:
IamUser should have combinedPolicies contain [ policyDocument.Statement contain [ Effect='Deny' and Action='*' and Resource='*' and Condition.ForAllValues:NotIpAddress.aws:SourceIp contain-all [ $ in('aaa.bbb.ccc.ddd/32','eee.fff.ggg.hhh/32','iii.jjj.kkk.lll/32','mmm.nnn.ooo.ppp/32') ] ] ]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can actually use this policy with IAM-Safety module in dome9.
https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/IAM-Safety/IAMSafety.html
So, if you use the deny policy within the restricted policy and apply to users, enable the permission but it will verify that all users are in a group enforcing to use form the IPs you choose to enable.
"Ideas are worthless without execution."