I have two VPC in my account. One for Test and other for Prod environment.
I am trying to setup IAM user accounts for developers, with permission boundaries, so that developers only has access to create/modify resources in Test VPC.
How do I do that? Can you share a sample policy JSON?
An Amazon VPC is a virtual network.
It is not possible to control access to a network based on "users" because the network has no knowledge of users. It can only control traffic by IP address and protocol.
If you want developers to be able to login to instances in Test environment, but not a Prod environment, you would either need to control access on the instances themselves (eg when they login to an EC2 instance), or control access to the network (eg by controlling access to a VPN connection or having developers access resources on a network with a known IP address range).
This is exactly the same as controlling access on a corporate network — developers could be placed on a network that has access to Test resources, while Sys Admins could be placed on a network that has access to Prod resources. This has to do with how their computer is connected to the network, rather than "who" they are.
If, instead, your goal is to restrict the Dev's ability to create/change resources in a VPC, then this can be done by adding conditions a IAM policies. For example, granting them the ability to launch an EC2 instance but only in the Test VPC.
See: How to Help Lock Down a User’s Amazon EC2 Capabilities to a Single VPC | AWS Security Blog
What I get is you are trying to restrict users to the services which are under a particular VPC. I did the same thing for allowing users to update Lambda functions which are inside a particular VPC only. This can be done like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllResources",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Sid": "DenyLambdaUpdatIfNotInsideVPC",
"Effect": "Deny",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"lambda:VpcIds": "your vpc id"
}
}
}
]
}
In this way you can restrict users from accessing the resources which are outside your VPC by writing services and their specific actions in the deny statement.
Related
We have AWS accounts created and managed using control tower service.
The requirement is to restrict internet access from lambda even it is not attached to any VPC.
By default lambda functions can connect to internet if it is not connected to any VPC.
How do we enforce restricting internet access to users using lambda functions ?
Lambda is always in a VPC,just when you don't specify a VPC it's assigned to default one which has internet access configured.
Create a new VPC, by default it won't have internet access. And assign your functions to it.
We have addressed this requirement by creating a service control policy with below statements and attached to the OU.
It enforces the users to select a VPC, subnet and security group while creating/updating the lambda function. With this you can make sure the lambda functions are always under your VPC.
Ref: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-conditions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceVPCFunction",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Null": {
"lambda:VpcIds": "true"
}
}
}
]
}
Refer the above AWS documentation to find the policy statements to enable restriction at different levels like subnet, Security group and VPC.
Is there a way where to attach an AWS IAM profile to an Azure VM.
I'm trying to develop a common infrastructure for Azure and AWS and i want to use resources which are in AWS from an Azure VM.
I know this can do this by exporting AWS creds to Azure VM but is there a way where I can attach an already existing AWS IAM profile to the Azure VM (if not directly may be through an interface or a service?) and access the resources (which how is I'm doing from an ec2 instance currently) ?
Sadly you can't do this. IAM instance profiles are only valid and usable from ec2 instances. You can't use instance profiles from outside of aws.
As you mentioned, you have to explicitly provide aws credentials to your azure vm. For example by creating .aws/ folder with aws profile.
You should be able to achieve what you are looking for by using the same IAM role for both the EC2 instance profile and a managed identity assigned to your Azure VM.
From my limited understanding of AWS, the instance profile identifies your EC2 instance, so you cant use it directly.
To use the same role for both EC2 and Azure VM, here is how I would try this out:
First, familiarize yourself with how you can assign an Azure managed identity a role in AWS. I wrote this blog post recently to show how Managed identities can be granted access to AWS resources: https://blog.identitydigest.com/azuread-access-aws/
Now rather than create a new role as mentioned in the blog, you can reuse the role in your EC2 instance, by adding a trust relationship for the managed identity to AssumeRoleWithWebIdentity.
So the trust relationship for your existing role used in your EC2 profile will look something as follows: (please note, I have not tried multiple statements in a role but expect this to work based on the AWS documentation)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<your account>:oidc-provider/sts.windows.net/<your azure ad tenant>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"sts.windows.net/<your tenant>:aud": "app audience or managed identity client_id",
"sts.windows.net/<your tenant>:sub": "in case you want to also include sub"
}
}
}
]
}
Now if you assign the managed identity to the VM, it should be able to access the same resources as your EC2 instance.
I would like to know if it is possible to create a VPC endpoint for AWS Athena and restrict to only allow certain users (that MUST BE in my account) to use the VPC endpoint. I currently use this VPC endpoint policy for a S3 endpoint and I would need something similar to use with AWS Athena.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<MY_ACCOUNT_ID>:user/user1",
"arn:aws:iam::<MY_ACCOUNT_ID>:user/user2",
...
]
},
"Action": "*",
"Resource": "*"
}
]
}
The problem I'm trying to solve is to block developers in my company, that are logged in a RDP session inside my company VPN, to offload data to a personal AWS account. So I would need a solution that blocks access to the public internet, so I think a VPC endpoint should be the only option, but I accept new ideas.
Yes you can, check out this doc.
https://docs.aws.amazon.com/athena/latest/ug/interface-vpc-endpoint.html
Also, keep in mind to adopt a encryption at rest and transit when query data via athena, the results always by default is open even if it's saved on a encrypted s3 bucket.
I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.
I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.
Here's my IAM for SES:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-******"
},
"ForAnyValue:StringLike": {
"ses:Recipients": "*#mycompany.com"
}
}
}
]
}
But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.
Is there any other way to specify a certain VPC?
This is an interesting challenge!
The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.
I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.
However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.
If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.
You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.
See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management
I have users that I want to restrict which subnets they can launch EC2 in but can't seem to figure out how to do this. I tried digging in IAM but couldn't find it in there. Is this possible to do in AWS?
Yes you can do that using the Identity and Access Management (IAM) service.
The policy below grants permission to use a specific subnet. In addition it gives open access to additional resources the user will need to properly launch an instance into a subnet: AMIs, instances, network interfaces, volumes, key pairs, etc.
When launching into a subnet, the RunInstances request requires these resources by default, so the user needs permission to access these resources when launching the instance.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region::image/ami-*",
"arn:aws:ec2:region:account:instance/*",
"arn:aws:ec2:region:account:subnet/subnet-1a2b3c4d",
"arn:aws:ec2:region:account:network-interface/*",
"arn:aws:ec2:region:account:volume/*",
"arn:aws:ec2:region:account:key-pair/*",
"arn:aws:ec2:region:account:security-group/sg-123abc123"
]
}
]
}
Note the policy also provides access to a specific security group. You could make these fixed as needed, or provide * scope to allow them to specify any security group.
For more information, see Launching instances into a specific subnet
In addition to Rodrigo's answer, I had to add a number of permissions to the global resource to allow users to launch and manage instances through the web console:
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSubnets",
"ec2:DescribeVpc*",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs",
"ec2:CreateTags",
"ec2:DescribeInstances"
],
"Resource": "*"
}
You may need to add a few more, depending on what exactly you want to allow your restricted users to do.
You can find the list of actions on Amazon's website, but when lacking permissions, you have to do some digging in the browser's error console - they just show up as unhandled 403s, for the most part.
Amazon is very slowly adding resource-level permissions, which will allow you to restrict things like "only show instances that are in this subnet", but until they do that, you can either let them see all instances or none of them.