By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Identity-based policy requires definition of global region

0

According to the documentation, We cannot select both global and regional services provided by AWS. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html If you look at the link below, you can use some global services and all services in a specific region, but We cannot use the following AWS Global Accelerator, AWS Network Manager, AWS Shield Advanced, and AWS WAF Classic. Additionally, some global services are designated as "us-east-1" or "us-west-2". I need an IAM that can allow certain local services and global services to work no matter how the global service changes.

asked 16 days ago28 views
1 Answer
0

Hello.

You should be able to use the AWS service actions that you want to exclude from region restrictions by adding them to the "NotAction" list, as shown in the policy below.
With the IAM policy below, requests can be made in the region listed in "aws:RequestedRegion".
As an exception, actions listed in the "NotAction" list can be requested from any region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideRequestedRegions",
            "Effect": "Deny",
            "NotAction": [
                "cloudfront:*",
                "iam:*",
                "route53:*",
                "support:*",
                "globalaccelerator:*",
                "networkmanager:*",
                "shield:*",
                "waf:*",
                "wafv2:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1",
                        "eu-west-2",
                        "eu-west-3"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllActios",
            "Effect": "Allow",
            "Action": [
                "Actions you want to allow"
            ],
            "Resource": "*"
        }
    ]
}
profile picture
EXPERT
answered 16 days ago
  • Thank you. However, I want an IAM that doesn't need to know every single service provided in the global region.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions