How do I add an IP source condition to AWS managed policy in IAM User or Role

1

I need to add a aws:SourceIp and aws:VpcSourceIp conditions to a Role with only AWS managed policies. What would the CloudFormation template used to create the Role look like? Thanks!

  • I submitted an answer, hope it helps!

posta 4 mesi fa283 visualizzazioni
3 Risposte
1
Risposta accettata

This was what I used that worked:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              NotIpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
              AWS: arn:aws:iam::XXXXXXXXXXXX:user/tester
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"
con risposta 4 mesi fa
profile picture
ESPERTO
verificato 3 mesi fa
profile pictureAWS
ESPERTO
verificato 4 mesi fa
0

To add an IP source condition to an AWS managed policy in an IAM Role using CloudFormation, you would typically create a custom managed policy that includes the desired conditions, and then attach that custom policy to the IAM Role. Here's a CloudFormation template to achieve this:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"
            Condition:
              IpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
              StringEquals:
                aws:SourceVpc: "vpc-1234567890abcdef0" # Specify the VPC ID
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole

In this CloudFormation template:

  1. We create a custom IAM policy named CustomIPPolicy with the desired IP source conditions specified in the PolicyDocument.
  2. We create an IAM Role named MyRole with the AssumeRolePolicyDocument specifying the service (in this case, EC2) that can assume this role.
  3. We attach the custom policy CustomIPPolicy to the IAM Role MyRole.

Make sure to replace "192.0.2.0/24" with the IP range(s) you want to allow and "vpc-1234567890abcdef0" with the VPC ID you want to allow as the source. You can also adjust the actions and resources in the policy statement as per your requirements.

Mustafa
con risposta 4 mesi fa
  • Your example is for inline policy. I was looking for a solution for a Role with AWS managed policy without any inline policy. I used Deny Effect with NotIPAddress condition for the allowed IP addresses on all Actions and Resources to fix it.

    Thanks for your help though. I appreciate!

0
profile picture
ESPERTO
con risposta 4 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande