How do I add an IP source condition to AWS managed policy in IAM User or Role

1

I need to add a aws:SourceIp and aws:VpcSourceIp conditions to a Role with only AWS managed policies. What would the CloudFormation template used to create the Role look like? Thanks!

  • I submitted an answer, hope it helps!

preguntada hace 4 meses268 visualizaciones
3 Respuestas
1
Respuesta aceptada

This was what I used that worked:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              NotIpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
              AWS: arn:aws:iam::XXXXXXXXXXXX:user/tester
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"
respondido hace 4 meses
profile picture
EXPERTO
revisado hace 3 meses
profile pictureAWS
EXPERTO
revisado hace 4 meses
0

To add an IP source condition to an AWS managed policy in an IAM Role using CloudFormation, you would typically create a custom managed policy that includes the desired conditions, and then attach that custom policy to the IAM Role. Here's a CloudFormation template to achieve this:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"
            Condition:
              IpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
              StringEquals:
                aws:SourceVpc: "vpc-1234567890abcdef0" # Specify the VPC ID
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole

In this CloudFormation template:

  1. We create a custom IAM policy named CustomIPPolicy with the desired IP source conditions specified in the PolicyDocument.
  2. We create an IAM Role named MyRole with the AssumeRolePolicyDocument specifying the service (in this case, EC2) that can assume this role.
  3. We attach the custom policy CustomIPPolicy to the IAM Role MyRole.

Make sure to replace "192.0.2.0/24" with the IP range(s) you want to allow and "vpc-1234567890abcdef0" with the VPC ID you want to allow as the source. You can also adjust the actions and resources in the policy statement as per your requirements.

Mustafa
respondido hace 4 meses
  • Your example is for inline policy. I was looking for a solution for a Role with AWS managed policy without any inline policy. I used Deny Effect with NotIPAddress condition for the allowed IP addresses on all Actions and Resources to fix it.

    Thanks for your help though. I appreciate!

0
profile picture
EXPERTO
respondido hace 4 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas