How do I add an IP source condition to AWS managed policy in IAM User or Role

1

I need to add a aws:SourceIp and aws:VpcSourceIp conditions to a Role with only AWS managed policies. What would the CloudFormation template used to create the Role look like? Thanks!

  • I submitted an answer, hope it helps!

已提問 4 個月前檢視次數 262 次
3 個答案
1
已接受的答案

This was what I used that worked:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              NotIpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
              AWS: arn:aws:iam::XXXXXXXXXXXX:user/tester
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"
已回答 4 個月前
profile picture
專家
已審閱 3 個月前
profile pictureAWS
專家
已審閱 4 個月前
0

To add an IP source condition to an AWS managed policy in an IAM Role using CloudFormation, you would typically create a custom managed policy that includes the desired conditions, and then attach that custom policy to the IAM Role. Here's a CloudFormation template to achieve this:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"
            Condition:
              IpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
              StringEquals:
                aws:SourceVpc: "vpc-1234567890abcdef0" # Specify the VPC ID
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole

In this CloudFormation template:

  1. We create a custom IAM policy named CustomIPPolicy with the desired IP source conditions specified in the PolicyDocument.
  2. We create an IAM Role named MyRole with the AssumeRolePolicyDocument specifying the service (in this case, EC2) that can assume this role.
  3. We attach the custom policy CustomIPPolicy to the IAM Role MyRole.

Make sure to replace "192.0.2.0/24" with the IP range(s) you want to allow and "vpc-1234567890abcdef0" with the VPC ID you want to allow as the source. You can also adjust the actions and resources in the policy statement as per your requirements.

Mustafa
已回答 4 個月前
  • Your example is for inline policy. I was looking for a solution for a Role with AWS managed policy without any inline policy. I used Deny Effect with NotIPAddress condition for the allowed IP addresses on all Actions and Resources to fix it.

    Thanks for your help though. I appreciate!

0
profile picture
專家
GK
已回答 4 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南