DEV Community

Cover image for AWS πŸ”’ How to restrict access by IP
Vitali
Vitali

Posted on • Originally published at securityblog.cloud

AWS πŸ”’ How to restrict access by IP

Hi there!

In today's post, I would like to show you how you can restrict access to your AWS Account. Very often companies use static IP addresses to access the Internet. So if you know that access to your AWS account has to happen from specific IP, why allow it from the whole Internet.
Here is a logic schema of how we are going to make restriction:

logic schema

⚠The most important part is an IAM policy that will enforce our restriction. The policy denies any user's actions made from untrusted IP. To make so, we have to create a condition and specify two keys:

  • aws:SourceIp
  • aws:ViaAWSService

By the first one, we allow access from our IPs, by the second one we allow AWS Services to access our resources without the restriction.Β 
Your policy may look like it:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "XXX.XXX.XXX.0/24",
                    "YYY.YYY.YYY.0/24"
                ]
            },
            "Bool": {"aws:ViaAWSService": "false"}
        }
    }
}

The good way to apply our restriction is to use IAM users' groups. IAM users groups usage is a good practice to handle permissions. But our approach will work with a single user as well. Depends on your case you may or may not use IAM groups.

So next, create a group, attach a policy with necessary accesses and with IP restriction.

Create a Group

Now even if API keys or a user's credentials will be compromised, an attacker has to avoid one more security mechanism in your AWS Account.
Bye!πŸ‘‹

Photo by Markus Spiske on Unsplash

Top comments (1)

Collapse
 
rcfrias profile image
Roberto Frias

I've tried adding this policy directly to the user and to the user group, and it just denies any attempt to use the aws-cli, but I've been unable to use programmatic access from a valid IP address. :(