By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I add an IP source condition to AWS managed policy in IAM User or Role

1

I need to add a aws:SourceIp and aws:VpcSourceIp conditions to a Role with only AWS managed policies. What would the CloudFormation template used to create the Role look like? Thanks!

  • Mustafa
    23 days ago

    I submitted an answer, hope it helps!

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Policies
Language
English
NattyWiz
asked 23 days ago115 views
3 Answers
0
Accepted Answer

This was what I used that worked:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              NotIpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
              AWS: arn:aws:iam::XXXXXXXXXXXX:user/tester
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"
NattyWiz
answered 23 days ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 23 days ago
0

To add an IP source condition to an AWS managed policy in an IAM Role using CloudFormation, you would typically create a custom managed policy that includes the desired conditions, and then attach that custom policy to the IAM Role. Here's a CloudFormation template to achieve this:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CustomPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CustomIPPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"
            Condition:
              IpAddress:
                aws:SourceIp:
                  - "192.0.2.0/24" # Specify the IP range(s) you want to allow
              StringEquals:
                aws:SourceVpc: "vpc-1234567890abcdef0" # Specify the VPC ID
      Roles:
        - Ref: MyIAMRole

  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole

In this CloudFormation template:

  1. We create a custom IAM policy named CustomIPPolicy with the desired IP source conditions specified in the PolicyDocument.
  2. We create an IAM Role named MyRole with the AssumeRolePolicyDocument specifying the service (in this case, EC2) that can assume this role.
  3. We attach the custom policy CustomIPPolicy to the IAM Role MyRole.

Make sure to replace "192.0.2.0/24" with the IP range(s) you want to allow and "vpc-1234567890abcdef0" with the VPC ID you want to allow as the source. You can also adjust the actions and resources in the policy statement as per your requirements.

Mustafa
answered 23 days ago
  • NattyWiz
    23 days ago

    Your example is for inline policy. I was looking for a solution for a Role with AWS managed policy without any inline policy. I used Deny Effect with NotIPAddress condition for the allowed IP addresses on all Actions and Resources to fix it.

    Thanks for your help though. I appreciate!

0

Hi

Here you can check information of source ip https://repost.aws/knowledge-center/iam-restrict-calls-ip-addresses

Policy CFT Manged - https://repost.aws/knowledge-center/cloudformation-attach-managed-policy

IAM Role with Custom Policy - https://gist.github.com/evnm/e4769f8a5735b9bad62ea209ff14fae2

profile picture
EXPERT
GK
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content