3 Answers
- Newest
- Most votes
- Most comments
0
Hello.
Deny policy alone cannot do anything, so it must be used in conjunction with Allow policy.
As an example, the following policy allows all operations when accessing from "203.0.113.123/32".
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AdministratorAccess",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Sid": "SourceIPRestriction",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {"aws:SourceIp": "203.0.113.123/32"}
}
}
]
}
By the way, "aws:SourceIp" can only be set as a public IP address.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip
0
What Identity Provider (IdP) are you using? Are you able to filter access by source IPs with it? Keep in mind that implementing such policies may add complexity to your environment.
answered 3 months ago
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 8 months ago
Hi, thanks for the reply, i did tried this, it worked for services but i am still able to login to console,
so i tried from ip which i have allowed and also from ip which is not allowed , i did see the difference in permission but on both system it has allowed me to login to console, i want to block console access too for the user which has not in allowed sourceIP, is it possible to block Console access for such users?
IAM policies do not have the ability to block console access itself. Therefore, I think the only option is to restrict the IP address using the IAM policy I provided and prevent operations if the connection source is incorrect.