You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The brokerpak currently supports restricting the use of binding credentials to user-specified IP addresses. The original brokerpak defaulted that value to the cloud.gov egress IP ranges, so by default the credentials could only be used from within cloud.gov. However, since the SES identities are now within our AWS account, those egress IPs are no longer accurate.
To allow customers to restrict use of the credentials to cloud.gov, we could create a VPC Endpoint for SES and add an aws:SourceVPC Condition by default to the user's IAM policy. (Note: We tried this on a test user and it didn't work, so while we think it's the right idea, there is more work after these steps.) We should probably create the endpoint anyway so SMTP traffic never has to leave cloud.gov.
Decide if this is a launch feature
The text was updated successfully, but these errors were encountered:
The brokerpak currently supports restricting the use of binding credentials to user-specified IP addresses. The original brokerpak defaulted that value to the cloud.gov egress IP ranges, so by default the credentials could only be used from within cloud.gov. However, since the SES identities are now within our AWS account, those egress IPs are no longer accurate.
To allow customers to restrict use of the credentials to cloud.gov, we could create a VPC Endpoint for SES and add an
aws:SourceVPC
Condition by default to the user's IAM policy. (Note: We tried this on a test user and it didn't work, so while we think it's the right idea, there is more work after these steps.) We should probably create the endpoint anyway so SMTP traffic never has to leave cloud.gov.The text was updated successfully, but these errors were encountered: