Do you know you can restrict the user or group of IAM users to multiple services and regions with a single policy.
In this quick tutorial you will learn how to create a IAM Policy to Deny AWS Resources outside AWS Regions.
Lets get started.
Prerequisites
- AWS account
Creating IAM Policy to Deny access to Specific AWS regions
The below policy is useful when you want any of your users or groups to be explicitly denied on AWS services in AWS Regions.
- Version is Policy version which is fixed.
- Effect is Deny in each statement as we want to deny users or group be able to work on specific services and regions.
- NotActions: We have different actions such as ListAllbuckets to list the buckets etc. NotAction is opposite of actions that means we don’t apply Effect on these resources.
- This policy denies access to any actions outside the Regions specified (eu-central-1, eu-west-1, eu-west-2, eu-west-3) and except for actions in the services specified using
NotAction
such as accessing Cloud front, IAM, route53, support. The below policy contains following attributes.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideRequestedRegions",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1",
"eu-west-2",
"eu-west-3"
]
}
}
}
]
}
Conclusion
This tutorial demonstrated that if you need to create a IAM Policy to Deny AWS Resources outside AWS Regions.