AWS IAM policy issues

Question

So I'm having issues with AWS's IAM policies. I essentialy have a "management" compartment for multiple things. I want to be able to restrict user access to everything, filtered on VPC. So a user can only do things in the VPC that is assigned to their policy.

My IAM policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1549549655017",
        "Action": "*",
        "Effect": "Deny",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:SourceVpc": "vpc-########"
            }
        }
    }
]
} 

I apply this policy to a user, yet they can still start/stop ec2 instances, or add security groups for something in that VPC. I thought it might have been because the user was admin, so I removed this and gave them access to specific, but this still allowed them access.

Suggestions?

Answer 1

The aws:SourceVpc condition is only available for services that support traffic over a VPC endpoint. A call to the EC2 service does not support VPC endpoints so this condition will not apply. Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html for conditions that may be applied to the various ec2 actions and resources.

I am not sure what the use case for this is -- but I would humbly suggest that a VPC is not the correct solution for isolating management concerns. You should have that in separate account so that your blast radius from user error is limited to one concern i.e management or user-application not both.

Answer 2

Try replacing this code in the condition section. It should work

 "StringEquals": {
        "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
        }

Here the in the other section you can specify all the api’s that you require access to. This will make sure that you can access those api’s within the vpc.