Do you know you can restrict the user or group of IAM users to multiple services and regions with a single policy. In this quick tutorial you will learn how to create a IAM Policy to Deny AWS Resources outside AWS Regions.. Lets get started.
Prerequisites
- AWS account
Creating IAM Policy to Deny access to Specific AWS regions
The below policy is useful when you want any of your users or groups to be explicitly denied on AWS services in AWS Regions.
This policy denies access to any actions outside the Regions specified (eu-central-1, eu-west-1, eu-west-2, eu-west-3) and except for actions in the services specified using NotAction
such as accessing Cloud front, IAM, route53, support. The below policy contains following attributes.
- Version is Policy version which is fixed.
- Effect is Deny in each statement as we want to deny users or group be able to work on specific services and regions.
- NotActions: We have different actions such as ListAllbuckets to list the buckets etc.
- To all the resources in those services that are denied.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideRequestedRegions",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1",
"eu-west-2",
"eu-west-3"
]
}
}
}
]
}
Conclusion
This tutorial demonstrated that if you need to create a IAM Policy to Deny AWS Resources outside AWS Regions.