- Newest
- Most votes
- Most comments
To restrict an IAM role to a specific VPC, you can use an IAM policy with a condition that specifies the allowed VPC ID. You can define this policy as a permission boundary for the role, which acts as an implicit denial for all actions not explicitly allowed in the policy.
Here's an example of a policy that allows the role to access resources within a specific VPC (specified by the VPC ID "vpc-0123456789abcdef0"):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-0123456789abcdef0"
}
}
}
]
}
To set this policy as the permission boundary for a role, you can use the AWS Management Console, AWS CLI, or AWS API. In the console, go to the IAM role details page, click on the "Permissions" tab, and then click on "Edit boundary". In the CLI or API, you can use the "PutRolePermissionsBoundary" API action or the "aws iam put-role-permissions-boundary" command.
This way, the role will only be able to access resources within the specified VPC, even if the role's policies would otherwise allow access to resources in other VPCs.
Thanks Muhammad. I will give this a try and let you know. This answers sounds about right also aligns with what I had in my mind to address this. Thanks for your response
The aws:sourceVpc condition key is only applicable if the AWS API call originates from within a VPC.
This policy doesn't work
I'm not sure what you're asking. Could you please clarify? If you want to limit the traffic from an ENI (for EC2 instances, Lambdas, etc) to just one VPC, you can do so using network controls instead of IAM. One way to achieve this is by using a security group that restricts outbound traffic to a specific VPC. You can set up a security group rule that allows outbound traffic only to the CIDR block of the desired VPC.
This question was more from controlling the access rather than the network. In case we have users defining their own IAM roles, we want to have a default boundary set-up so that their IAM role (with any definition) can not access resources outside the specified VPC within the permission boundary.
In that case, you'll need to implement an ABAC approach using aws:ResourceTag condition key in the permissions boundary policy. You also need to tag existing resources in the VPC and automate/enforce tagging for future resources. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
But if you have multiple AWS accounts, I think a better way to achieve what you want is to try VPC sharing where one account can administer the VPC and you can then share subnets with other AWS accounts where they use it to deploy resources. The participants won't be able to modify the VPC configuration by default: https://aws.amazon.com/blogs/networking-and-content-delivery/vpc-sharing-a-new-approach-to-multiple-accounts-and-vpc-management/
+1 for using multiple accounts to separate multiple actors/teams. But if you can not do that, you can use permission boundary and tags to put boundaries around VPC or anyother way you needs. Wrote an article how to implement this kind of generic tag-based boundaries while granting permission to create and edit your own IAM policies at the same time. This could be helpful when operating with shared accounts. https://carriagereturn.nl/aws/iam/policy/boundary/2021/10/07/iambound.html
Relevant content
- asked 2 years ago
- asked a year ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Is this regarding traffic within a VPC or restricting VPC configuration access to certain IAM roles?