Atlas Resource Policies
On this page
- Prerequisites
- Limitations
- Using the Cedar Policy Language
- Key Cedar Syntax Elements for Atlas
- Create an Atlas Resource Policy Configuration
- Construct the policy in the Cedar policy language.
- Send a
POSTrequest. - Atlas Resource Policy Examples
- Restrict Cloud Provider
- Restrict Region
- Restrict Cloud Provider and Region
- Restrict IP Addresses
- Restrict Cluster Tier
- Require Project Maintenance Windows
- Prevent Modifications to Peering
- Prevent Modifications to Private Endpoints
- Prevent modifications to VPC peering connections.
- Prevent modifications to private endpoint connections.
Atlas Resource Policies are controls that enable Organization Owners
to constrain the specific
configuration options available to developers when they create or configure
Atlas clusters.
With resource policies, you can:
Limit cluster deployment to specific cloud platforms (AWS, Google Cloud, Azure).
Restrict cluster deployment to designated regions within a cloud provider. For example,
aws:us-east-1.Prohibit the use of the wildcard IP (
0.0.0.0/0) to enforce stricter network controls.Prevent users from provisioning, updating, or auto-scaling clusters to a tier above or below a specified threshold.
Require that a project has a maintenance window configured.
Prevent modifications to VPC peering and private endpoint connections across cloud providers.
You create Atlas Resource Policies at the organization level and they apply to all projects and clusters within that organization.
In addition to the Atlas UI and the Atlas Administration API, you can use the HashiCorp Terraform MongoDB Atlas Provider, MongoDB Atlas AWS CloudFormation Resources, or AWS CloudFormation to configure and manage Atlas Resource Policies.
Prerequisites
Ensure your Atlas user has the appropriate organization role:
To view Atlas Resource Policies, you must have at least
Organization Read OnlyorOrganization Memberaccess to Atlas.To create, update, or delete an Atlas Resource Policy, you must have
Organization Owneraccess to Atlas.
To use the Atlas Administration API to create or manage Atlas Resource Policies, locate your public and private API keys so you can authenticate to the Atlas Administration API. To learn more, see Get Started with the Atlas Administration API.
Limitations
Atlas Resource Policies are allow-by-default. If no Atlas Resource Policies exist, users can perform all actions on Atlas clusters that their Atlas user role allows.
Atlas Resource Policies ensure compliance with defined goals but do not enforce intermediate or transitional states. For example, if a downstream component fails, the policy may temporarily enter a non-compliant intermediate state. You should proactively monitor your list of non-compliant resources using the /orgs/{ORG-ID}/nonCompliantResources endpoint.
Our implemented version of Cedar policy language supports only one Cedar policy per
.cedarfile, but you can list multiple Cedar policies (.cedarfiles) in your Atlas Resource Policy. Each.cedarfile is identified in the Atlas Administration API response as a unique 24-hexadecimal character string afterpolicies.id.Each Atlas Resource Policy must have a unique name. If you attempt to create an Atlas Resource Policy with an existing name, the server responds with a
400 (Bad Request)status code.If the auto-scaling limits on your existing cluster don't match the new Atlas Resource Policy, the cluster might exceed the policy's defined boundaries. To address this issue, use the /orgs/{ORG-ID}/nonCompliantResources endpoint to identify and monitor non-compliant resources so you can update them to meet policy requirements.
Before enabling network-layer controls, review your existing IP access list to ensure it contains all necessary access points.
Private endpoint definitions in Cedar policy language require that you enter individual IP addresses, as wildcard operations are not supported.
Using the Cedar Policy Language
MongoDB uses the open-source Cedar policy language to define Atlas Resource Policies. Cedar's design balances expressiveness with simplicity, employing a concise syntax that streamlines both writing and understanding resource policies.
To quickly create an Atlas Resource Policy, adapt the examples and add to Atlas using the Atlas UI or Atlas Administration API by following Create an Atlas Resource Policy Configuration.
To learn more about Cedar policy language, see:
Key Cedar Syntax Elements for Atlas
Cedar Element | Descripton | Atlas Resource Policy Options |
|---|---|---|
| Denies the specified action if conditions in the | Example: |
| Defines the user affected by the policy. | Applied universally by default. Do not change or omit. |
| Represents the action being controlled in the policy. | Available actions:
|
| Refers to a specific cluster | To find your cluster ID, use the Atlas Administration API to return all clusters in a project. |
| Refers to a specific project. For example, | To find your project ID, see Manage Project Settings. |
| Specifies the project to which the cluster belongs. | To find your project ID, see Manage Project Settings. |
| Specifies the allowed cloud providers. | Available options:
|
| Limits access based on deployment regions. | For example, |
| Checks if a specific property exists within the cluster context. | Available properties:
|
| Sets the minimum cluster tier for scaling the cluster down to. | For example, |
| Sets the maximum cluster tier for scaling the cluster up to. | For example, |
| Requires that a project has a maintenance window configured. | For example, |
| Specifies the IP addresses that can access the cluster. | You can block a wildcard IP |
| Refers to a specific VPC peering connection. | To format for your specific cloud provider, see Prevent Modifications to Peering. |
| Refers to a specific private endpoint. | To format for your specific cloud provider, see Prevent Modifications to Private Endpoints. |
| Checks for inclusion of one or more elements ( | Example: |
| Specifies exceptions to a policy. Actions are forbidden unless certain conditions are met. | Example: |
Logical Operators ( | Combine multiple conditions in a policy. | Available options:
|
IP Addressing ( | Refers to specific IP addresses or ranges in policies. | Available options:
|
Create an Atlas Resource Policy Configuration
To create an Atlas Resource Policy, use the following procedure to construct a policy using Cedar policy language and add to Atlas using the Atlas UI or the Atlas Administration API.
Warning
We recommend that you test this feature in a non-production environment by creating a new organization with a fresh cluster. This ensures you can assess the feature safely without impacting your existing systems as you skill up.
To create an Atlas Resource Policy using the Atlas Administration API, construct a policy using
Cedar policy language and pass it in to the Atlas Administration API via a POST request
using the policies parameter.
Construct the policy in the Cedar policy language.
Specify the rules for restricting resources using Cedar policy language. You can copy and modify the following example policies for your organization:
Note
We recommend creating multiple, simple Atlas Resource Policies to make tracking easier. For example, if you want to restrict cloud provider and multiple regions, consider creating one Atlas Resource Policy that restricts the cloud provider and another Atlas Resource Policy that restricts the regions.
Send a POST request.
Use the POST verb to create an Atlas Resource Policy for your organization.
The request must include:
name: The name of the Atlas Resource Policy.policies: The cluster restrictions you defined in Cedar policy language in the previous step. If you use quotes (") inpolicies.body, escape with a backslash (\).
Example POST request:
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ --header "Content-Type: application/json" \ --header "Accept: application/vnd.atlas.2024-08-05+json" \ --include \ --request POST "https://cloud.mongodb.com/api/atlas/v2/orgs/{ORG-ID}/resourcePolicies?pretty=true" \ --data '{ "name": "MyResourcePolicy", "policies": [ { "body": "forbid (principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) when {context.cluster.regions.contains(ResourcePolicy::Region::\"aws:us-west-1\")};" } ] }'
Example response:
1 { 2 "createdByUser" : { 3 "id" : "66ce81217d08f463824f3b80", 4 "name" : "ecwwjhop" 5 }, 6 "createdDate" : "2024-08-28T02:22:49Z", 7 "id" : "66ce89f9b535d00a2cb02f83", 8 "lastUpdatedByUser" : { 9 "id" : "66ce81217d08f463824f3b80", 10 "name" : "ecwwjhop" 11 }, 12 "lastUpdatedDate" : "2024-08-28T02:22:49Z", 13 "name" : "MyResourcePolicy", 14 "orgId" : "{ORG-ID}", 15 "policies" : [ { 16 "body" : "forbid (principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) when {context.cluster.regions.contains(ResourcePolicy::Region::\"aws:us-west-1\")};", 17 "id" : "66ce89f9b535d00a2cb02f82" 18 } ], 19 "version" : "v1"
To create an Atlas Resource Policy using the new Atlas UI editor, use the following procedure to copy and paste an example policy into the editor, then modify it for your organization.
In Atlas, go to the Organization Settings page.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Click the Organization Settings icon next to the Organizations menu.
The Organization Settings page displays.
Go to the Resource Policies page.
Click Resource Policy in the sidebar.
The Resource Policies page displays.
Name, describe, and define your Atlas Resource Policy.
Give your Atlas Resource Policy a unique name.
(Optional) Add a description.
Copy and modify the following example policies for your organization, then paste the code in the Cedar Policy field.
Note
We recommend creating multiple, simple Atlas Resource Policies to make tracking easier. For example, if you want to restrict cloud provider and multiple regions, consider creating one Atlas Resource Policy that restricts the cloud provider and another Atlas Resource Policy that restricts the regions.
This Atlas Resource Policy applies to all new clusters. For existing clusters that
do not comply with the Atlas Resource Policy, Atlas only allows users to make
changes to the cluster which brings the cluster into compliance.
For example, if cluster0 runs on AWS and you apply an Atlas Resource Policy that blocks
clusters on AWS, the only change users could make to cluster0 while
it is non-compliant is switching the cloud provider to Azure or Google Cloud.
To return a list of existing clusters that do not conform to your Atlas Resource Policy,
use the GET
/orgs/{ORG-ID}/nonCompliantResources resource.
Atlas generates an activity feed event when you create, update, or delete an Atlas Resource Policy. To help identify your activity feed events and make tracking easier, we recommend creating multiple, simple Atlas Resource Policies. For example, if you want to restrict the usage of a cloud provider and multiple regions, consider creating one Atlas Resource Policy that restricts the cloud provider and another Atlas Resource Policy that restricts the regions.
Atlas Resource Policy Examples
Copy and modify the following example policies to use for your organization. All examples use Cedar policy language, but for the Atlas Administration API, the examples are wrapped in JSON so you can paste them directly into your API calls. To learn more, see Create an Atlas Resource Policy Configuration.
Restrict Cloud Provider
The following example prevents users from creating a cluster on Google Cloud:
{ "name": "Policy Preventing GCP Clusters", "policies": [ { "body": "forbid (principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) when { context.cluster.cloudProviders.contains(ResourcePolicy::CloudProvider::\"gcp\") };" } ] }
The following example uses the unless clause to allow users to
create clusters only on Google Cloud:
{ "name": "Policy Allowing Only GCP Clusters", "policies": [ { "body": "forbid(principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) unless { context.cluster.cloudProviders == [ResourcePolicy::CloudProvider::\"gcp\"] };" } ] }
The following example uses the when clause to prevent users from
creating or editing a cluster in the project with ID 6217f7fff7957854e2d09179
unless Google Cloud is the only cloud provider:
{ "name": "Policy Allowing Only GCP Clusters for One Project", "policies": [ { "body": "forbid (principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) when { resource in ResourcePolicy::Project::\"6217f7fff7957854e2d09179\" && context.cluster.cloudProviders == [ResourcePolicy::CloudProvider::\"gcp\"] };" } ] }
The following example prevents modifications to the cluster with ID
3217e2gdf79a4c54e2d0827 when Google Cloud is the cloud provider:
{ "name": "Forbid Modifications to Specific GCP Cluster", "policies": [ { "body": "forbid (principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) when { resource in ResourcePolicy::Project::\"65dcbf5ccd12a54df59a54e6\" && resource == ResourcePolicy::Cluster::\"670968dfc0a2297ef46bc02a\" && context.cluster.cloudProviders == [ResourcePolicy::CloudProvider::\"gcp\"]};" } ] }
Restrict Region
The following example prevents users from creating or editing a cluster
in the region aws:us-east-1:
{ "name": "Prohibit Cluster Deployment in the US-EAST-1 Region", "policies": [ { "body": "forbid (principal,action == ResourcePolicy::Action::\"cluster.modify\",resource) when {context.cluster.regions.contains(ResourcePolicy::Region::\"aws:us-east-1\")};" { ] }
The following example prevents users from creating a cluster
in the region aws:us-west-1:
{ "name": "Policy Preventing Clusters in AWS:us-west-1", "policies": [ { "body": "forbid(principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) when { context.cluster.regions.contains(ResourcePolicy::Region::\"aws:us-west-1\") };" } ] }
The following example prevents users from creating a cluster
in the regions aws:us-east-1, aws:us-west-1, or azure:westeurope:
{ "name": "Policy Preventing Clusters in 3 AWS Regions", "policies": [ { "body": "forbid(principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) when { context.cluster.regions.containsAny([ResourcePolicy::Region::\"aws:us-east-1\", ResourcePolicy::Region::\"aws:us-west-1\", ResourcePolicy::Region::\"azure:westeurope\"]) };" } ] }
The following example uses the unless clause to allow users to
create clusters only in the regions aws:us-east-1 and azure:westeurope:
{ "name": "Policy Allowing Clusters Only in 2 AWS Regions", "policies": [ { "body": "forbid(principal, action == ResourcePolicy::Action::\"cluster.modify\", resource) unless { [ResourcePolicy::Region::\"aws:us-east-1\", ResourcePolicy::Region::\"azure:westeurope\"].containsAll(context.cluster.regions) };" } ] {
The following example uses the when clause to restrict users from
editing the cluster with ID 3217e2gdf79a4c54e2d0827
in the regions aws:us-east-1 and aws:us-west-1:
{ "name": "Policy Restricting Edits to One Cluster from 2 AWS Regions", "policies": [ { "body": "forbid(principal, action == ResourcePolicy::Action::\"cluster.modify\", resource == ResourcePolicy::Cluster::\"3217e2gdf79a4c54e2d0827\") when { context.cluster.regions.containsAny([ResourcePolicy::Region::\"aws:us-east-1\",ResourcePolicy::Region::\"aws:us-west-1\"]) };" } ] }
Restrict Cloud Provider and Region
The following example restricts Atlas users from creating Atlas clusters
on Google Cloud, or in the AWS regions aws:us-east-1 or aws:us-west-1.
{ "name": "Policy Restricting All GCP Clusters and Some AWS Regions", "policies": [{"body": "forbid (principal,action == ResourcePolicy::Action::\"cluster.modify\", resource) when {context.cluster.cloudProviders.containsAny([ResourcePolicy::CloudProvider::\"gcp\"]) || context.cluster.regions.containsAny([ResourcePolicy::Region::\"aws:us-east-1\", ResourcePolicy::Region::\"aws:us-west-1\"])};"}] }
Restrict IP Addresses
The following example prevents users from editing a project
from a wildcard IP (0.0.0.0/0):
{ "name": "Policy Restricting Wildcard IP", "policies": [ { "body": "forbid(principal, action == ResourcePolicy::Action::\"project.ipAccessList.modify\", resource) when { context.project.ipAccessList.contains(ip(\"0.0.0.0/0\")) };" } ] }
The following example uses the unless clause to allow users to
edit projects only from the IP addresses 1.2.3.4/32, 8.8.8.8/32,
and 4.4.4.4/32:
{ "name": "Policy Restricting Project Edits to Specified IPs", "policies": [ { "body": "forbid(principal, action == ResourcePolicy::Action::\"project.ipAccessList.modify\", resource) unless { [ip(\"1.2.3.4/32\"), ip(\"8.8.8.8/32\"), ip(\"4.4.4.4/32\")].containsAll(context.project.ipAccessList) };" } ] }
Restrict Cluster Tier
The following example uses the when clause to restrict Atlas from
provisioning or scaling clusters to less than M30 or greater than M60:
Note
This policy doesn't restrict clusters with a cluster class of Low CPU or NVMe SSD.
{ "name": "Policy Restricting Min/Max Cluster Size", "policies": [ { "body": "forbid(principal, action == ResourcePolicy::Action::"cluster.modify", resource) when { (context.cluster has minGeneralClassInstanceSizeValue && context.cluster.minGeneralClassInstanceSizeValue < 30) || (context.cluster has maxGeneralClassInstanceSizeValue && context.cluster.maxGeneralClassInstanceSize > 60) };" } ] }
Require Project Maintenance Windows
The following example requires that a project has a maintenance window configured:
{ "name": "Policy Enforcing Existence of a Project Maintenance Window", "policies": [ { "body": "forbid (principal, action == ResourcePolicy::Action::"project.maintenanceWindow.modify", resource) when {context.project.hasDefinedMaintenanceWindow == false};" } ] }
Prevent Modifications to Peering
The following example prevents modifications to VPC peering connections across different cloud providers (AWS, Google Cloud, Azure).
Each cloud provider requires different details for VPC peering. Gather the following details for your cloud provider and replace them in the example:
AWS: aws:<AWS_ACCOUNT_ID>:<VPC_ID>:<VPC_CIDR>
AWS_ACCOUNT_ID: Your AWS account number.VPC_ID: The ID of the VPC.VPC_CIDR: The CIDR block of the VPC.
Azure: azure:<SUBSCRIPTION_ID>:<RESOURCE_GROUP_NAME>:<VNET_NAME>
SUBSCRIPTION_ID: Your Azure subscription ID.RESOURCE_GROUP_NAME: The resource group in which your Virtual Network (VNet) exists.VNET_NAME: The name of your VNet.
Google Cloud: gcp:<GCP_PROJECT_ID>:<VPC_NAME>
GCP_PROJECT_ID: The ID of your Google Cloud project.VPC_NAME: The name of the VPC in Google Cloud.
{ "name": "Policy Preventing Modifications to Peering Across Providers", "policies": [ { "body": "forbid (principal, action == ResourcePolicy::Action::\"project.vpcPeering.modify\", resource) when {context.project.peeringConnections == [\"aws:000123456789:us-east-1:vpc-0316c47cc923ce313:10.0.0.0/16\", \"azure:fd01aafc-b3re-2193-8497-83lp3m83a1a5:rg-name:vnet\", \"gcp:inductive-cocoa-108200:default\"]};" } ] }
Prevent Modifications to Private Endpoints
The following example prevents modifications to private endpoint connections across cloud providers (AWS, Google Cloud, Azure).
Each cloud provider requires different details for private endpoints. Gather the following details for your cloud provider and replace them in the example:
AWS: aws:<VPC_ENDPOINT_ID>
VPC_ENDPOINT_ID: The ID of the AWS VPC endpoint.
Azure: azure:<PRIVATE_ENDPOINT_RESOURCE_ID>:<PRIVATE_ENDPOINT_IP_ADDRESS>
PRIVATE_ENDPOINT_RESOURCE_ID: The full resource ID path of the Azure private endpoint.PRIVATE_ENDPOINT_IP_ADDRESS: The IP address assigned to the private endpoint.
Google Cloud: gcp:<GCP_PROJECT_ID>:<VPC_NAME>
GCP_PROJECT_ID: The ID of your Google Cloud project.VPC_NAME: The name of the VPC in Google Cloud associated with the connection.
{ "name": "Policy Preventing Modifications to Peering Across Providers", "policies": [ { "body": "forbid (principal, action == ResourcePolicy::Action::\"project.privateEndpoint.modify\", resource) when {context.project.privateEndpoints == [\"aws:vpce-042d72ded1748f314\", \"azure:/subscriptions/fd01aafc-b3re-2193-8497-83lp3m83a1a5/resourceGroups/rg-name/providers/Microsoft.Network/privateEndpoints/pe-name:10.0.0.4\", \"gcp:inductive-cocoa-108200:default\"]};" } ] }
Restrict Cloud Provider
The following example prevents users from creating a cluster on Google Cloud:
forbid ( principal, action == ResourcePolicy::Action::"cluster.modify", resource ) when { context.cluster.cloudProviders.contains(ResourcePolicy::CloudProvider::"gcp") };
The following example uses the unless clause to allow users to
create clusters only on Google Cloud:
forbid( principal, action == ResourcePolicy::Action::"cluster.modify", resource ) unless { context.cluster.cloudProviders == [ResourcePolicy::CloudProvider::"gcp"] };
The following example uses the when clause to prevent users from
creating or editing a cluster in the project with ID 6217f7fff7957854e2d09179
unless Google Cloud is the only cloud provider:
forbid ( principal, action == ResourcePolicy::Action::"cluster.modify", resource ) when {resource in ResourcePolicy::Project::"6217f7fff7957854e2d09179" && context.cluster.cloudProviders == [ResourcePolicy::CloudProvider::"gcp"] };
The following example prevents modifications to the cluster with ID
3217e2gdf79a4c54e2d0827 when Google Cloud is the cloud provider:
forbid ( principal, action == ResourcePolicy::Action::"cluster.modify", resource ) when {resource in ResourcePolicy::Project::"65dcbf5ccd12a54df59a54e6" && resource == ResourcePolicy::Cluster::"670968dfc0a2297ef46bc02a" && context.cluster.cloudProviders == [ResourcePolicy::CloudProvider::"gcp"]};
Restrict Region
The following example prevents users from creating or editing a cluster
in the region aws:us-east-1:
forbid ( principal, action == ResourcePolicy::Action::"cluster.modify", resource ) when {context.cluster.regions.contains(ResourcePolicy::Region::"aws:us-east-1")};
The following example prevents users from creating a cluster
in the region aws:us-west-1:
forbid( principal, action == ResourcePolicy::Action::"cluster.modify", resource ) when { context.cluster.regions.contains(ResourcePolicy::Region::"aws:us-west-1") };
The following example prevents users from creating a cluster
in the regions aws:us-east-1, aws:us-west-1, or azure:westeurope:
forbid( principal, action == ResourcePolicy::Action::"cluster.modify", resource ) when { context.cluster.regions.containsAny([ResourcePolicy::Region::"aws:us-east-1",ResourcePolicy::Region::"aws:us-west-1",ResourcePolicy::Region::"azure:westeurope"]) };
The following example uses the unless clause to allow users to
create clusters only in the regions aws:us-east-1 and azure:westeurope:
forbid( principal, action == ResourcePolicy::Action::\"cluster.modify\", resource ) unless { [ResourcePolicy::Region::"aws:us-east-1", ResourcePolicy::Region::"azure:westeurope"].containsAll(context.cluster.regions) };
The following example uses the when clause to restrict users from
editing the cluster with ID 3217e2gdf79a4c54e2d0827
in the regions aws:us-east-1 and aws:us-west-1:
forbid( principal, action == ResourcePolicy::Action::"cluster.modify", resource == ResourcePolicy::Cluster::"3217e2gdf79a4c54e2d0827" ) when { context.cluster.regions.containsAny([ResourcePolicy::Region::"aws:us-east-1",ResourcePolicy::Region::"aws:us-west-1"]) };
Restrict IP Addresses
The following example prevents users from editing a project
from a wildcard IP (0.0.0.0/0):
forbid( principal, action == ResourcePolicy::Action::"project.ipAccessList.modify", resource ) when { context.project.ipAccessList.contains(ip("0.0.0.0/0")) };
The following example uses the unless clause to allow users to
edit projects only from the IP addresses 1.2.3.4/32, 8.8.8.8/32,
and 4.4.4.4/32:
forbid( principal, action == ResourcePolicy::Action::"project.ipAccessList.modify", resource ) unless { [ip("1.2.3.4/32"), ip("8.8.8.8/32"), ip("4.4.4.4/32")].containsAll(context.project.ipAccessList) };
Restrict Cluster Tier
The following example uses the when clause to restrict Atlas from
provisioning or scaling clusters to less than M30 or greater than M60:
Note
This policy doesn't restrict clusters with a cluster class of Low CPU or NVMe SSD.
forbid( principal, action == ResourcePolicy::Action::"cluster.modify", resource ) when { (context.cluster has minGeneralClassInstanceSizeValue && context.cluster.minGeneralClassInstanceSizeValue < 30) || (context.cluster has maxGeneralClassInstanceSizeValue && context.cluster.maxGeneralClassInstanceSizeValue > 60) };
Require Project Maintenance Windows
The following example requires that a project has a maintenance window configured:
forbid ( principal, action == ResourcePolicy::Action::"project.maintenanceWindow.modify", resource ) when {context.project.hasDefinedMaintenanceWindow == false};
Prevent Modifications to Peering
The following example prevents modifications to VPC peering connections across different cloud providers (AWS, Google Cloud, Azure).
Each cloud provider requires different details for VPC peering. Gather the following details for your cloud provider and replace them in the example:
AWS: aws:<AWS_ACCOUNT_ID>:<VPC_ID>:<VPC_CIDR>
AWS_ACCOUNT_ID: Your AWS account number.VPC_ID: The ID of the VPC.VPC_CIDR: The CIDR block of the VPC.
Azure: azure:<SUBSCRIPTION_ID>:<RESOURCE_GROUP_NAME>:<VNET_NAME>
SUBSCRIPTION_ID: Your Azure subscription ID.RESOURCE_GROUP_NAME: The resource group in which your Virtual Network (VNet) exists.VNET_NAME: The name of your VNet.
Google Cloud: gcp:<GCP_PROJECT_ID>:<VPC_NAME>
GCP_PROJECT_ID: The ID of your Google Cloud project.VPC_NAME: The name of the VPC in Google Cloud.
forbid ( principal, action == ResourcePolicy::Action::"project.vpcPeering.modify", resource ) when {context.project.peeringConnections == ["aws:000123456789:us-east-1:vpc-0316c47cc923ce313:10.0.0.0/16", "azure:fd01aafc-b3re-2193-8497-83lp3m83a1a5:rg-name:vnet", "gcp:inductive-cocoa-108200:default"]};
Prevent Modifications to Private Endpoints
The following example prevents modifications to private endpoint connections across cloud providers (AWS, Google Cloud, Azure).
Each cloud provider requires different details for private endpoints. Gather the following details for your cloud provider and replace them in the example:
AWS: aws:<VPC_ENDPOINT_ID>
VPC_ENDPOINT_ID: The ID of the AWS VPC endpoint.
Azure: azure:<PRIVATE_ENDPOINT_RESOURCE_ID>:<PRIVATE_ENDPOINT_IP_ADDRESS>
PRIVATE_ENDPOINT_RESOURCE_ID: The full resource ID path of the Azure private endpoint.PRIVATE_ENDPOINT_IP_ADDRESS: The IP address assigned to the private endpoint.
Google Cloud: gcp:<GCP_PROJECT_ID>:<VPC_NAME>
GCP_PROJECT_ID: The ID of your Google Cloud project.VPC_NAME: The name of the VPC in Google Cloud associated with the connection.
forbid ( principal, action == ResourcePolicy::Action::"project.privateEndpoint.modify", resource ) when {context.project.privateEndpoints == ["aws:vpce-042d72ded1748f314", "azure:/subscriptions/fd01aafc-b3re-2193-8497-83lp3m83a1a5/resourceGroups/rg-name/providers/Microsoft.Network/privateEndpoints/pe-name:10.0.0.4", "gcp:inductive-cocoa-108200:default"]};