Reputation: 2181
Restricting access to AWS resources to one specific region
I am trying to have my lambda full access restricted to a particular region.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"events:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"lambda:*",
"logs:*",
"s3:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}
This is my policy.
but currently, it is not working user is still able to access lambda and it's full access in another region.
what am I missing here?
Upvotes: 1
Views: 525
Answers (1)
Reputation: 238747
Your IAM user(s) are probably allowed to perform your actions in different regions, because your policy is Allow only and they have other policies that allow unrestricted access.
To overcome the issue you can use Deny statement in the policy, as explained in AWS: Denies access to AWS based on the requested Region. Deny always wins, which means that the policy will have precedence over any allows.
So your policy, based on the AWS docs linked, could be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"events:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"lambda:*",
"logs:*",
"s3:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}
Note, that in the AWS docs they also use NotAction, instead of Action. So you have to take into account what you wish your users to be able to do, or not do. But in your case, I think Action is fine.
Upvotes: 1
Related Questions
- restrict aws iam user to a specific region (eu-west-1)
- Hide regions not available to AWS IAM user
- IAM users to restrict creating instances in a region
- block user to provision resources not in standard region (AWS)
- AWS policy to restrict all resources creation in one region and readonly in other regions
- Limiting Instance Type and Request Region in AWS
- Restrict s3 bucket access to specific regions
- AWS Free Tier restrict usage to one region
- Aws IAM user permission to specific region and to a particular server
- AWS IAM Permissions for EC2 – Controlling Access on Specific Instances with particular region