How safe is a proxy with resource policy based to restrict access to backend?

0

So I have some service in AWS that wants to be protected from unauthorized access. If I have a proxy and only the proxy have access to call the backend service based on a resource policy, I am curious to know if some malicious user can spoof the IP of the proxy and gain access to the backend? i.e, the malicious user claim that his machine have the IP address in resource policy and gain access to the server? Is this something possible?

1 Answer
0

Resource-based policies are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, VPC endpoints, and AWS Key Management Service encryption keys. With resource-based policies, you can specify who has access to the resource and what actions they can perform on it.

Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket. These policies grant the specified principal permission to perform specific actions on that resource and defines under what conditions this applies. Resource-based policies are inline policies. There are no managed resource-based policies.

[+] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html

aws:SourceIp key is used to compare the requester's IP address with the IP address that you specify in the policy. The aws:SourceIp condition key can only be used for public IP address ranges. The aws:SourceIp condition key can be used in a policy to allow principals to make requests only from within a specified IP range.

[+] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip

IAM resource-based policies primarily focus on controlling access to AWS resources based on various attributes such as principal (e.g., IAM user or role), action, resource, and conditions. However, they do not have built-in mechanisms to detect spoofed IP addresses. Detecting spoofed IP addresses typically requires network-level protections such as firewalls, intrusion detection/prevention systems, or network traffic analysis tools.

AWS
Harika
answered 2 months ago
profile picture
EXPERT
reviewed 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions