I want to create and attach a SCP to the AWS Organization root or an OU to allow the sharing of subnets between accounts only if the the share receiver principal (e.g., an AWS account) and the subnet being shared have the matching tags (e.g., env:prod). Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowResourceSharingWithMatchingTags",
"Effect": "Allow",
"Action": "ram:ShareResource",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:PrincipalTag/env": "${aws:ResourceTag/env}"
},
}
}
]
}
I cannot test the validity of the above policy because I don't have the proper setup and permissions. Has anybody tried to achieve something similar using SCP?
Related
I want to know any possibility to avoid users to provision any resources in all AWS regions, except one for example ap-southeast-1.
I want nobody can provision any resources in all the AWS regions, only one region which is ap-southeast-1.
Thanks
Yes, you can create an IAM policy and attach it to users whose regions you want to restrict.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"ap-southeast-1"
]
}
}
}]
}
This policy will restrict access to ap-southeast-1 only.
I have made a whitelist policy containing list of IP address from where I want to get the IP
Sample below, consider Policy ARN is arn:aws:iam::0000000:policy/Whitelister
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"W.X.Y.Z",
"A.B.C.D"
]
}
}
}
]
}
I have an AWS Elasticsearch(ES) account, which allows JSON based access policy. How can I use the above policy in AWS ES' policy to restrict access to these IPs only.
I have hard written IPs now, but that will cause redundancy and updating the IPs will be difficult.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:es:****************/domain-name/*",
"arn:aws:es:****************/domain-name/"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"W.X.Y.Z",
"A.B.C.D"
]
}
}
}
]
}
Unfortunately, you can't use your policy in IP policy for an ES domain.
Let me elaborate a bit on this, as I think there is a confusion between resource-based policies, such as IP policies for the ES domain, and identity-based policies for IAM users, roles or groups. The differences are explained in the AWS docs.
In short, you policy arn:aws:iam::0000000:policy/Whitelister is, so called, managed-policy. The managed polices can only be attached to IAM identity which can be IAM user, group or role. They can't be attached to resource-based policies.
We have a few users which basically have access to everything using the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Is there a way to restrict access to selected VPCs?
I have tried creating the following policy and attach it to the user (via a group):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504660000000",
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>"
]
}
]
}
I have replaced <REGION> <ACCOUNT-ID> and <VPC-ID>".
The policy simulator denies access (StartInstances, StopInstances, etc.) correctly. Nevertheless a user with this policy attached can still create EC2 instances within the vpc.
Why does my policy not deny access to the VPC? As far as I know "Deny" overwrites "Allow".
What is the correct way of achieving this? I have read through this and this but don't understand how it would restrict access.
It's a tricky one. You have to refer and include all actions including recources which supports the ec2:Vpc condition and deny the API actions. For other actions, you have to find conditions which are common in API actions and include those actions in separate statement blocks and deny those by other means e.g. using tags or something else.
Also, as the users have AdministratorAccess, you have to make sure that the user's cannot detach this Deny policy and escalate the privilege.
For other service which uses VPC e.g. RDS, it is not possible.
[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
Here, you don`t want to give the permission to ec2 inside one VPC. So, you should consider vpc as a condition and resource as ec2.
Look at the code below -
{
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:region:account:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
}
}
}
Explanation - Here we are denying the permissions to ec2 which are under a specific vpc. Here I have added subnet in ec2, it is optional. You may add if required.
I want to be able to apply tags only to instances running in EC2 on a particular VPC (vpc-11111111).
I tried to use the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2TagNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags"
],
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:<myRegion>:<myCustomerId>:vpc/vpc-11111111"
}
},
"Resource": "*"
}
]
}
but the user with this policy cannot modify the tags unless I remove the condition.
What have I done wrong?
Tags do not support conditions, according to Amazon docs and support.
This is a long standing feature request for several years!
Normally, if given some particular AWS user rights, the Tag rights is inside the policies.
Mistake in your new policies will overwrite those default access. You should try it out using AWS policy simulator.
Try add a principal and try it out.
"Principal": {
"AWS": "arn:aws:iam::<myCustomerId>:user/*"
}
I am trying to apply the following policy in order to restrict my_bucket's access to a particular VPC.
When I try to apply this as a bucket policy, I get an Policy has an invalid condition key - ec2:Vpc.
How do I correct this?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition":{
"StringNotEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-ccccccc"
}
}
}
]
}
I just got this to work. I had to do two things. 1) Create the bucket policy on the S3 bucket, 2) create a "VPC Endpoint"
My S3 bucket policy looks like this (of course put in your bucket name and VPC identifier):
{
"Version": "2012-10-17",
"Id": "Policy1234567890123",
"Statement": [
{
"Sid": "Stmt1234567890123",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"StringEquals": {
"aws:sourceVpc": "vpc-12345678"
}
}
}
]
}
The S3 bucket also has some permissions outside the bucket policy to allow access from the AWS Console. Doing the above did not give access. To get access, I also had to go to AWS Console -> VPC -> Endpoints, and then create an endpoint. I attached the newly created endpoint to the only routing policy the account has at the moment (that has all subnets attached to it) and I used the default policy of
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
Once I created the endpoint, I was able to read from the S3 bucket from any EC2 instance in my VPC simply using wget with the right URL. I am still able to access the bucket from the AWS Console. But if I try to access the URL from outside the VPC, I get 403 forbidden. Thus, access to the S3 bucket is restricted to a single VPC, just like what you are looking for.
This is apparently a new feature. See this AWS blog entry for more information.
Two things that bit me and which might be helpful to add to Eddie's nice answer are:
First, you won't be able to view your bucket (or even modify its policy once you set the policy above) in the S3 AWS console unless you also give your AWS users permissions to manipulate the bucket. To do that, find your AWS account number (displayed in upper-right here), and add this statement to the bucket policy statements list:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
},
Second, if you have more than one VPC, say vpc-XXXXXX and vpc-YYYYYY to give access to, the statement in Eddie's answer needs to be tweaked to something like the following (note the "Allow" "StringEquals" and list of sourceVpc values:
...
"Effect": "Allow",
...
"Condition": {
"StringEquals": {
"aws:sourceVpc": [
"vpc-XXXXXXXX",
"vpc-YYYYYYYY"
]
}
No, you can't do that.
Here's another person asking the same: https://forums.aws.amazon.com/thread.jspa?threadID=102387
Some have gotten overly creative with the problem trying to solve it with networking: https://pete.wtf/2012/05/01/how-to-setup-aws-s3-access-from-specific-ips/
I prefer a more simple route, S3 allows you to sign urls to solve this very problem, but inside of your VPC you may wish to not have to think about signing - or you just couldn't sign, for example you might be using wget, etc. So I wrote this little micro-service for that very reason: https://github.com/rmmeans/S3-Private-Downloader
Hope that helps!
UPDATED:
AWS now has a feature for VPC endpoints: https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/, you should use that and not what I previously suggested.