How to Restrict an IAM role to a VPC using permission boundary

1

While I am trying to set-up IAM roles, I want to have a default permission boundary set-up with each role which will allow access to only the permitted VPC i.e. by specifying the VPC ID in the boundary so that even if the roles defined may have access to all the VPCs within an account (where ever resource could be a *), this permission boundary will help ensure the role can not access anything outside the specified VPC. Or if there is any other way to achieve this VPC restriction on the IAM role without specifying it with every AWS resource within Policy document.

  • Is this regarding traffic within a VPC or restricting VPC configuration access to certain IAM roles?

3 Answers
0

To restrict an IAM role to a specific VPC, you can use an IAM policy with a condition that specifies the allowed VPC ID. You can define this policy as a permission boundary for the role, which acts as an implicit denial for all actions not explicitly allowed in the policy.

Here's an example of a policy that allows the role to access resources within a specific VPC (specified by the VPC ID "vpc-0123456789abcdef0"):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-0123456789abcdef0"
                }
            }
        }
    ]
}

To set this policy as the permission boundary for a role, you can use the AWS Management Console, AWS CLI, or AWS API. In the console, go to the IAM role details page, click on the "Permissions" tab, and then click on "Edit boundary". In the CLI or API, you can use the "PutRolePermissionsBoundary" API action or the "aws iam put-role-permissions-boundary" command.

This way, the role will only be able to access resources within the specified VPC, even if the role's policies would otherwise allow access to resources in other VPCs.

profile picture
answered a year ago
  • Thanks Muhammad. I will give this a try and let you know. This answers sounds about right also aligns with what I had in my mind to address this. Thanks for your response

  • The aws:sourceVpc condition key is only applicable if the AWS API call originates from within a VPC.

  • This policy doesn't work

0

I'm not sure what you're asking. Could you please clarify? If you want to limit the traffic from an ENI (for EC2 instances, Lambdas, etc) to just one VPC, you can do so using network controls instead of IAM. One way to achieve this is by using a security group that restricts outbound traffic to a specific VPC. You can set up a security group rule that allows outbound traffic only to the CIDR block of the desired VPC.

profile pictureAWS
Nihal
answered a year ago
0

+1 for using multiple accounts to separate multiple actors/teams. But if you can not do that, you can use permission boundary and tags to put boundaries around VPC or anyother way you needs. Wrote an article how to implement this kind of generic tag-based boundaries while granting permission to create and edit your own IAM policies at the same time. This could be helpful when operating with shared accounts. https://carriagereturn.nl/aws/iam/policy/boundary/2021/10/07/iambound.html

profile picture
EXPERT
Kallu
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions