AWS IP Whitelisting

I created an IP whitelisting policy, but when trying to access CloudShell, I get an error stipulating that it is blocked by an explicit deny when running aws s3 ls or any other commands.

Topics: Security, Identity, & Compliance
Tags: IAM Policies
Language: English

Louis

asked a year ago673 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello.

How about making an IAM policy like the one below?
In the case of access from CloudShell, the source IP address will be the IP address of CloudShell, so I think it is necessary to specify the user agent with "aws:userAgent" as shown below and register access from CloudShell as an exception.
I tried it with my AWS account and confirmed that I can access AWS resources from CloudShell with the AWS CLI using the following IAM policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "192.0.2.0/24",
                        "203.0.113.0/24"
                    ]
                },
                "Bool": {"aws:ViaAWSService": "false"},
                "StringNotLike": {
                    "aws:userAgent": "*exec-env/CloudShell*"
                }
            }
        }
    ]
}

EXPERT

Riku_Kobayashi

answered a year ago

Louis
a year ago
Good day, Thank you for your response. I have changed my policy to the following but I still get the same error. In the below I removed my IP's. { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "", "Resource": "", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "192.168.0.0/24" ] }, "Bool": { "aws:ViaAWSService": "false" }, "StringLike": { "aws:userAgent": "exec-env/CloudShell" } } } }

Riku_Kobayashi EXPERT

a year ago

There is no Allow statement in your IAM policy, so no actions are allowed. So, as an example, if you allow all actions and conditionally deny them as shown below, you can also apply IP restrictions. Basically, it is dangerous to allow "Action": "*", so please use it for testing purposes. Also, try restarting CloudShell once after changing the IAM policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "192.0.2.0/24",
                        "203.0.113.0/24"
                    ]
                },
                "Bool": {"aws:ViaAWSService": "false"},
                "StringNotLike": {
                    "aws:userAgent": "*exec-env/CloudShell*"
                }
            }
        }
    ]
}

Leo K EXPERT
a year ago
Sorry but those Deny statements are dangerously constructed. For example, the latest Deny will not get hit if the request is made via a VPC endpoint, because the aws:SourceIp key is not present in requests made through endpoints. You would need to use the NotIpAddressIfExists, BoolIfExists, and StringNotLikeIfExists variants of the operators, so that each comparison evaluates to "true" when the condition key is absent. Also, the "User-Agent" header can be set freely by any attacker over any path, so it is only opportunistic filtering but no real protection at all.
Riku_Kobayashi EXPERT
a year ago
As shown in the document below, there is an IP address range used by AWS services, so if you use this, you can change CloudShell restrictions to IP address restrictions. However, the following IP address ranges are subject to change, so if you want to completely fix CloudShell's IP address, we recommend connecting to a VPC and communicating via NAT Gateway. https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html

Relevant content

How to whitelist the known IP's on S3 bucket policy so that only whitelisted IPs can download the Object
Dhaval
asked 2 years ago
Is there an ip-block for whitelisting?
sbivn
asked 5 years ago
Issue with AWS Network Firewall - Suricata Rules Allowing Connections to Non-Whitelisted Public IPs
Mohammad Alessa
asked a year ago
How to Configure IPv6 Access for AWS Client VPN with Static IP for Whitelisting
saini
asked a year ago
How do I resolve Access Denied errors when I use an IP-restricted IAM role to access SSE-KMS encrypted S3 objects?
AWS OFFICIALUpdated 5 months ago
Why do I get an Access Denied error for ListObjectsV2 when I run the sync command on my Amazon S3 bucket?
AWS OFFICIALUpdated a year ago
Why do I get an Access Denied error when I try to create an AWS Backup vault?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot explicit deny error messages when I request API calls with IAM roles or users?
AWS OFFICIALUpdated 12 days ago
Restricting IAM User Access by Source IP: SCP Implementation Guide
EXPERT
Purnaresa Y
published a day ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published 3 years ago

AWS IP Whitelisting

Add your answer

Relevant content