restrict aws iam user to a specific region (eu-west-1)

Question

I'm trying to create a policy in which the user exam can access only to the region eu-west-1. I tried to find a solution but didn't found the right one. the policy looks something like this:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "user_arn",
        "Condition": {
            "StringEquals": {
                "aws:RequestedRegion": "eu-west-1"
            }
        }
    }
]

}

but it does not seem to work no matter what I do.

what is the best way to do so that the user can do whatever he wants but only in this region?

Answer 1

This should work as well, however you are granting full access to EC2 limited to one region. In the example below you "deny" any ec2 action outside the region or regions defined below, however you are not granting any privileges (they should be assigned in a separate policy or use an Allow statement. Normally this is used as an SCP in AWS organizations,a and you jusy deny action "*", to force all users to create resources only in the designated regions, and deny any API action in regions not authorized.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Deny",
        "Action": "ec2:*",
        "Resource": "*",
        "Condition": {
            "StringNotEquals": {
                "aws:RequestedRegion": "eu-west-1"
            }
        }
    }
]

Answer 2

found a solution

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:RequestedRegion": "eu-west-1"
            }
        }
    }
]

}