how can i Deny console login if my user is not login from corporate ip range or specific ip ranges

0

hi, i want to deny console login if my any i am user performing console login without connecting to VPN or without from allowed IP ranges. i did tried to put this policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "", "Resource": "", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "sOURCE_ip_RANGE" ] } } } ] }

if anyone can help me to give me possible solutions to achieve this.

3 Answers
0

Hello.

Deny policy alone cannot do anything, so it must be used in conjunction with Allow policy.
As an example, the following policy allows all operations when accessing from "203.0.113.123/32".
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AdministratorAccess",
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      },
      {
        "Sid": "SourceIPRestriction",
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
          "NotIpAddress": {"aws:SourceIp": "203.0.113.123/32"}
        }
      }
    ]
  }

By the way, "aws:SourceIp" can only be set as a public IP address.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip

profile picture
EXPERT
answered 3 months ago
  • Hi, thanks for the reply, i did tried this, it worked for services but i am still able to login to console,

    so i tried from ip which i have allowed and also from ip which is not allowed , i did see the difference in permission but on both system it has allowed me to login to console, i want to block console access too for the user which has not in allowed sourceIP, is it possible to block Console access for such users?

  • IAM policies do not have the ability to block console access itself. Therefore, I think the only option is to restrict the IP address using the IAM policy I provided and prevent operations if the connection source is incorrect.

0

What Identity Provider (IdP) are you using? Are you able to filter access by source IPs with it? Keep in mind that implementing such policies may add complexity to your environment.

AWS
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions