Thiago Scodeler
Reputation: 337
How to restrict AWS access based on region?
I'm following this AWS documentation on how to deny access to AWS resources based on the region: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html
This is my IAM policy and when I try to access the account I'm not even able to see resources of regions described in "condition" below. Error when accessing EC2 console for "eu-central-1": You are not authorized to perform this operation
My goal is to restrict access to any resource of the regions that are not present in the condition. For example, I want to have full access for "eu-central-1" but not for "ap-northeast-1"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessNotListedRegions",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-3",
"eu-west-2",
"eu-west-1"
]
}
}
}
]
}
Upvotes: 0
Views: 374
Answers (1)
Thiago Scodeler
Reputation: 337
This is the solution I found to my case:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowAccessAllRegionListed",
"Effect":"Allow",
"Action":"*",
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:RequestedRegion":[
"eu-central-1",
"eu-west-3",
"eu-west-2",
"eu-west-1"
]
}
}
},
{
"Sid":"AllowAccessGlobalServices",
"Effect":"Allow",
"Action":[
"cloudfront:*",
"iam:*",
"route53:*"
],
"Resource":"*"
},
{
"Sid":"DenyAccessNotListedRegionsExceptGlobalServices",
"Effect":"Deny",
"NotAction":[
"cloudfront:*",
"iam:*",
"route53:*"
],
"Resource":"*",
"Condition":{
"StringNotEquals":{
"aws:RequestedRegion":[
"eu-central-1",
"eu-west-3",
"eu-west-2",
"eu-west-1"
]
}
}
}
]
}
Upvotes: 0
Related Questions
- restrict aws iam user to a specific region (eu-west-1)
- Hide regions not available to AWS IAM user
- IAM users to restrict creating instances in a region
- Restricting access to AWS resources to one specific region
- IAM create policy allowing only one region but all global services nesseary
- Restrict s3 bucket access to specific regions
- Restrict access to Cross-region ec2 instances amazon
- Aws IAM user permission to specific region and to a particular server
- AWS IAM Permissions for EC2 – Controlling Access on Specific Instances with particular region
- IAM allowing a user to access everything for ec2 on a region