Limit IAM Identity Center Users to defined Region

0

Requirement

I have been able to set up IAM Identity Center and provide log-in credentials for access to AWS services (let's use S3 as an example), however, I'd like to limit any console access to this service to a single region to isolate some user's workspace from other's.

Attempted Config

I created the following IAM policy named RegionRestrict then imported it into IAM Identity Center when mapping a user to an AWS Organizations account. I referred to a few guides and found that the Condition shared in this guide https://aws.amazon.com/blogs/security/easier-way-to-control-access-to-aws-regions-using-iam-policies/ only applies to API requests (and not console access), thus I ended up using ec2:Region instead of the global region flag.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-1"
                }
            }
        }
    ]
}

Issues

When assigning a Permissions set to a user, I receive the following error:

1 of 1 failed to be configured.
You can retry submitting them, or you can leave the page and the failed assignments won’t be submitted.

 Assign user "permission-test" to AWS account "permissions-test" with permission set "RegionRestrict"

Received a 404 status error: Not supported policy arn:aws:iam::############:policy/RegionRestrict.
2 Answers
1
Accepted Answer

For IAM Identity Center, you'll want to create Permission Sets which are templates that define the policies users will receive. You should also look at aws:RequestedRegion for a relevant context key to use in policies.

The API permissions apply to both console and programmatic access, however the key you're using is an EC2 one so it wouldn't necessarily apply to all services.

BTW, you might want to look at Service Control Policies if these users are logging in to linked accounts, there a very relevant example in the docs.

AWS
EXPERT
Raphael
answered 2 years ago
profile picture
EXPERT
reviewed 4 months ago
profile picture
EXPERT
reviewed 7 months ago
  • Thank you for the details here. I'll take a deeper look at Service Control Policies, as this seems to be an intended use case for AWS Organizations (I am new to this tool, as well).

    For clarity's sake, I want to note that I had created the Permission Set as a requirement of the process and tied the IAM policy RegionRestrict to it, and this is the Permission Set I attempted to attach to each User that resulted in error.

  • I solved this by applying a Service Control Policy to my AWS Organization rather than via the IAM Identity Center. Thanks for your help!

1

To attach a customer-managed policy to a permission set, you need to first create the policy with the same name in all of the accounts to which the permission set will be attached.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions