AWS IAM

How to Deny IP addresses to Access AWS Cloud using AWS IAM policy with IAM policy examples

/ Sagar/Shanky / Leave a comment

Do you know you can restrict the certain IP addresses to access AWS services to be accessed with a single policy.

In this quick tutorial you will learn Deny IP addresses using AWS IAM policy with IAM policy examples

Lets get started.

Prerequisites

  • AWS account
  • Permissions to create IAM Policy

Lets describe the below IAM Policy in the AWS Cloud.

  • Version is Policy version which is fixed.
  • Effect is Deny in statement as we don’t want to allow IP addresses be able to Access AWS cloud.
  • Resources are * wild character as we want action to be allowed for all AWS services.
  • This policy deny all the IP address to access AWS cloud except few IP addresses using the NotIpAddress Condition and aws:ViaAWSService which is used to limit access to an AWS service makes a request to another service on your behalf.
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "192.0.2.0/24",
                    "203.0.113.0/24"
                ]
            },
            "Bool": {"aws:ViaAWSService": "false"}
        }
    }
}
}

Conclusion

This tutorial demonstrated that if you need to deny IP addresses using AWS IAM policy with IAM policy examples.

Advertisement

How to Access AWS EC2 instance on Specific Dates using IAM Policy

/ Sagar/Shanky / Leave a comment

Do you know you can restrict the user or group of IAM users to access AWS services to be accessed with a single policy.

In this quick tutorial you will learn how to Access AWS EC2 instance on Specific Dates using IAM Policy

Lets get started.

Prerequisites

  • AWS account
  • Permissions to create IAM Policy

Creating IAM Policy to Access AWS EC2 instance on Specific Dates

Lets describe the below IAM Policy in the AWS Cloud.

  • Version is Policy version which is fixed.
  • Effect is Allow in statement as we want to allow users or group be able to Describe AWS EC2 instance.
  • Resources are * wild character as we want action to be allowed for all AWS EC2 instances.
  • This policy allows users or groups to describe instance within specific dates using DateGreaterthan and DateLessThan attributes within the Condition.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:CurrentTime": "2023-03-11T00:00:00Z"},
                "DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}
            }
        }
    ]
}

Conclusion

This tutorial demonstrated that if you need to create a IAM Policy to Deny AWS Resources outside AWS Regions.

How to create IAM policy to access AWS DynamoDB table

/ Sagar/Shanky / Leave a comment

Do you know you can allow the user or group of IAM users to access AWS DynamoDB table with a single policy.

In this quick tutorial you will learn How to create IAM policy to access AWS DynamoDB table.

Lets get started.

Prerequisites

  • AWS account
  • You should have writes to create the IAM policy.

Creating IAM Policy to Access DynamoDB table

This section will show you the IAM policy which allows users or a group to access the DynamoDB table. Lets go through the code.

  • Version is the policy version which is fixed.
  • Effect is Allow in each statement as we want to Allow users or group be able to list all the DynamoDB table.
  • There are two statements in the IAM policy where
  • First statement allows to list and describe all the dynamoDB tables.
  • Where as Second statement allows specific table to be accessed by any user or role that is Mytable.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListandDescribe",
            "Effect": "Allow",
            "Action": [
                "dynamodb:List*",
                "dynamodb:DescribeReservedCapacity*",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTimeToLive"
            ],
            "Resource": "*",
        },
  {
            "Sid": "SpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/MyTable"
        }
    ]
}

Conclusion

This tutorial demonstrated that how to create IAM policy to access AWS DynamoDB table.

How to create a IAM Policy to Deny AWS Resources outside AWS Regions.

/ Sagar/Shanky / Leave a comment

Do you know you can restrict the user or group of IAM users to multiple services and regions with a single policy.

In this quick tutorial you will learn how to create a IAM Policy to Deny AWS Resources outside AWS Regions.

Lets get started.

Prerequisites

  • AWS account

Creating IAM Policy to Deny access to Specific AWS regions

The below policy is useful when you want any of your users or groups to be explicitly denied on AWS services in AWS Regions.

  • Version is Policy version which is fixed.
  • Effect is Deny in each statement as we want to deny users or group be able to work on specific services and regions.
  • NotActions: We have different actions such as ListAllbuckets to list the buckets etc. NotAction is opposite of actions that means we don’t apply Effect on these resources.
  • This policy denies access to any actions outside the Regions specified (eu-central-1, eu-west-1, eu-west-2, eu-west-3) and except for actions in the services specified using NotAction such as accessing Cloud front, IAM, route53, support. The below policy contains following attributes.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideRequestedRegions",
            "Effect": "Deny",
            "NotAction": [
                "cloudfront:*",
                "iam:*",
                "route53:*",
                "support:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1",
                        "eu-west-2",
                        "eu-west-3"
                    ]
                }
            }
        }
    ]
}

Conclusion

This tutorial demonstrated that if you need to create a IAM Policy to Deny AWS Resources outside AWS Regions.