How do I add an IP source condition to AWS managed policy in IAM User or Role

1

I need to add a aws:SourceIp and aws:VpcSourceIp conditions to a Role with only AWS managed policies. What would the CloudFormation template used to create the Role look like? Thanks!

  • I submitted an answer, hope it helps!

已提问 4 个月前260 查看次数
3 回答
1
已接受的回答

This was what I used that worked:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              NotIpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
              AWS: arn:aws:iam::XXXXXXXXXXXX:user/tester
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"
已回答 4 个月前
profile picture
专家
已审核 3 个月前
profile pictureAWS
专家
已审核 4 个月前
0

To add an IP source condition to an AWS managed policy in an IAM Role using CloudFormation, you would typically create a custom managed policy that includes the desired conditions, and then attach that custom policy to the IAM Role. Here's a CloudFormation template to achieve this:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"
            Condition:
              IpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
              StringEquals:
                aws:SourceVpc: "vpc-1234567890abcdef0" # Specify the VPC ID
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole

In this CloudFormation template:

  1. We create a custom IAM policy named CustomIPPolicy with the desired IP source conditions specified in the PolicyDocument.
  2. We create an IAM Role named MyRole with the AssumeRolePolicyDocument specifying the service (in this case, EC2) that can assume this role.
  3. We attach the custom policy CustomIPPolicy to the IAM Role MyRole.

Make sure to replace "192.0.2.0/24" with the IP range(s) you want to allow and "vpc-1234567890abcdef0" with the VPC ID you want to allow as the source. You can also adjust the actions and resources in the policy statement as per your requirements.

Mustafa
已回答 4 个月前
  • Your example is for inline policy. I was looking for a solution for a Role with AWS managed policy without any inline policy. I used Deny Effect with NotIPAddress condition for the allowed IP addresses on all Actions and Resources to fix it.

    Thanks for your help though. I appreciate!

0
profile picture
专家
GK
已回答 4 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则