I am trying to configure ip access restrictions to my public aurora serverless v2 cluster with IAM authentication (postgres).
After applying the policy below, I cannot connect to the cluster with the generated token.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds-db:connect"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"123.241.200.168/32"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:rds-db:eu-central-1:7777777836:dbuser:cluster-QQQIDWE6WQ/client01"
]
}
]
}
After switching the condition to "IpAddressIfExists" it allows me to connect from any address so I assume that there is no address available on connect. Is it possible to configure ip restrictions on the account level?
Unfortunately that action doesn't support any conditions (as listed on permissios.cloud), so you can't limit that API to IPs (and if the user is an administration, you can't limit it at all, as mentioned in the docs).
So it looks like the only way to achieve what I want is to:
create role with rds-db:connect permissions on postgres user
add trust policy with sts:AssumeRole limited to IP address
assign role to user
generate token from role assigned to user
Access to database is not limited to IP so if someone retrieve token from user then will be able to connect, but tokens are valid for 15 minutes by default so it fulfils my requiments.
Thank you #rowanu for answer it helped me a lot.
Related
at my serverless.yaml file I create and restrict the access to my ElasticSearch domain service and Kibana. However, through AWS Resource-based policies or AWS IP-based policies I am not able to access kibana.
The restriction was done following the AWS Tutorial Source below
For example:
enter link description here
However, it does not worked and I got the error when I tried to access Kibana: {"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}
So, it means that Kibana requires recently an user. So, the only way now is to use AWS Cognito??
Thank you very much in advance!
Cheers,
Marcelo
You need to modify your access policy as
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-south-1:****:domain/es-cert/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"88.8.888.8"
]
}
}
}
]
}
In the "aws:SourceIp" section, you need to add your public IP address
I would question which ElasticSearch domain you created. Did you create it with VPC or HTTP access? I did just this the other day and in trying to implement my IP access policy, nothing worked. I finally found this article, recreated my domain, applied my access policy, similar to what you have above, and it worked.
“If you enabled VPC access, you can't use IP-based policies. Instead, you can use security groups to control which IP addresses can access the domain.”
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html
I would like to know if it is possible to create a VPC endpoint for AWS Athena and restrict to only allow certain users (that MUST BE in my account) to use the VPC endpoint. I currently use this VPC endpoint policy for a S3 endpoint and I would need something similar to use with AWS Athena.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<MY_ACCOUNT_ID>:user/user1",
"arn:aws:iam::<MY_ACCOUNT_ID>:user/user2",
...
]
},
"Action": "*",
"Resource": "*"
}
]
}
The problem I'm trying to solve is to block developers in my company, that are logged in a RDP session inside my company VPN, to offload data to a personal AWS account. So I would need a solution that blocks access to the public internet, so I think a VPC endpoint should be the only option, but I accept new ideas.
Yes you can, check out this doc.
https://docs.aws.amazon.com/athena/latest/ug/interface-vpc-endpoint.html
Also, keep in mind to adopt a encryption at rest and transit when query data via athena, the results always by default is open even if it's saved on a encrypted s3 bucket.
The AWS EC2 Dashboard allows users to view/change the userdata for any given EC2 instance via
Actions -> Instance Settings -> View/Change User Data"
Is there an AWS IAM action that can restrict this feature from users of the Console?
Amazon EC2 User Data is retrieved via the DescribeInstanceAttribute API call. You can create a policy to DENY such permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NoAttributes",
"Effect": "Deny",
"Action": [
"ec2:DescribeInstanceAttribute"
],
"Resource": [
"*"
]
}
]
}
However, there is a risk that denying this permission might have some unintended side-effects because it will also block access to other attributes, too. So, make sure you test it.
It's also worth pointing out that User Data is only executed the first time the instance boots ("once per instance-id"). So, even if users have the ability to edit the User Data, it won't actually be executed after the first boot.
I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned to them.
Here's an example of the access policy I currently have assigned for the ES domain:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::[ACCOUNT_ID]:role/my_es_role",
]
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*"
}
]
}
But as I said, this doesn't work. I log into the EC2 instance (which has the my_es_role role attached to it) and attempt to run a simple curl call on the "https://*.es.amazonaws.com" end point, I get the following error:
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/“}
Does anyone know what I have to change in the access policy in order for this to work?
You can lock access down to IAM-only, but how will you view Kibana in your browser? You could setup a proxy (see Gist and/or NPM module) or enable both IAM and IP-based access for viewing results.
I was able to get both IAM access IP-restricted access with the following Access Policy. Note the order is important: I could not get it working with the IP-based statement before the IAM statement.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.168.1.0",
"192.168.1.1"
]
}
}
}
]
}
My EC2 instance has an instance profile with the
arn:aws:iam::aws:policy/AmazonESFullAccess
policy. Logstash should sign requests using the logstash-output-amazon-es output plugin. Logstash running on my EC2 instance includes an output section like this:
output {
amazon_es {
hosts => ["ELASTICSEARCH_HOST"]
region => "AWS_REGION"
}
# If you need to do some testing & debugging, uncomment this line:
# stdout { codec => rubydebug }
}
I can access Kibana from the two IPs in the access policy (192.168.1.0 and 192.168.1.1).
According to AWS doc and as you (and I) just tested, you cannot restrict access to an AWS ES domain to a role/account/user/... and simply cURL it!
Standard clients, such as curl, cannot perform the request signing that is required of identity-based access policies. You must use an IP address-based access policy that allows anonymous access to successfully perform the instructions for this step.
(http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-gsg-search.html)
So you have basically two solutions:
change your access policy and restrict it to IP(s), I think you cannot use private IP because your ES cluster does not seems to belong to your VPC (default or not). Please use the public IP
sign your request: http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains.html#es-managedomains-signing-service-requests
Signing your request is probably the best solution if you want to keep your access policy as is (which is more flexible than restricting to an IP), but it seems to be a bit more complex. I haven't tried so far and I cannot find any doc to help.
A bit late to the party, but I was able to deal with the exact same issue by adding signature to my requests.
If you use Python (like I do), you can use the following library to make it particularly easy to implement:
https://github.com/DavidMuller/aws-requests-auth
It worked perfectly for me.
You may either use resource based policy or identity based policy rather than IP based policy which is like hard coding the IP address.
But you need to use Signature version 4 to sign the request
For Java implementation please refer http://mytechbites.blogspot.in/2017/04/secure-amazon-elastic-search-service.html
You just need to full user name in elastic search policy.
In this case, you can get your full user name from the error message itself.
In my case:
"arn:aws:sts::[ACCOUNT_ID]:assumed-role/[LAMBDA_POLICY_NAME]/[LAMBDA_NAME]"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::xxxxxxxxxxxx:assumed-role/[lambda-role]/[full-lambda-name]"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:[region]:xxxxxxxxxxxxx:domain/[elasticsearch-domain-name]/*"
}
]
}
Role ARN needs to be changed. it will be looks like "arn:aws:iam::[ACCOUNT_ID]:role/service-role/my_es_role"
I'm also trying to do this, and I got it working using the Allow access to the domain from specific IP(s) option with the Elastic IP of my EC2 instance (could also work using the instance's private IP, but I'm not too sure)
I have some aws ec2 instances and would like to show ONLY one instance for partners.
I created IAM user for the partner. following is my policy I created.
But when partner logins to aws and see ec2 instance view, following message displayed and no instance is displayed.
An error occurred fetching instance data: You are not authorized to
perform this operation.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Sid": "Stmt1373378552000",
"Resource": [
"arn:aws:ec2:ap-northeast-1:123456789012:instance/i-12345678"
],
"Effect": "Allow"
}
]
}
(123456789012 is (dummy)my Account Id and i-12345678 is a instance I like to show)
I also tried to specify by tag name like following, but does not work..
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "node-B"
}
},
Does anyone know how to show specific ec2 instance for partners??
This is not currently supported.
Only selected Amazon EC2 API actions currently support resource-level permissions:
Describe calls do not support resource-level permissions
Start/Stop/Terminate (and others) are supported
The AWS Management Console is using a DescribeInstances call, which cannot be restricted to a specific resource. Hence, the error you received.
See also:
Supported Resource-Level Permissions for Amazon EC2 API Actions