- Newest
- Most votes
- Most comments
This was what I used that worked:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CustomPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CustomIPPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Deny
Action: "*"
Resource: "*"
Condition:
NotIpAddress:
aws:SourceIp:
- "192.0.2.0/24" # Specify the IP range(s) you want to allow
Roles:
- Ref: MyIAMRole
MyIAMRole:
Type: AWS::IAM::Role
Properties:
RoleName: MyRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
AWS: arn:aws:iam::XXXXXXXXXXXX:user/tester
Action: sts:AssumeRole
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/ReadOnlyAccess"
To add an IP source condition to an AWS managed policy in an IAM Role using CloudFormation, you would typically create a custom managed policy that includes the desired conditions, and then attach that custom policy to the IAM Role. Here's a CloudFormation template to achieve this:
AWSTemplateFormatVersion: '2010-09-09' Resources: CustomPolicy: Type: AWS::IAM::Policy Properties: PolicyName: CustomIPPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Condition: IpAddress: aws:SourceIp: - "192.0.2.0/24" # Specify the IP range(s) you want to allow StringEquals: aws:SourceVpc: "vpc-1234567890abcdef0" # Specify the VPC ID Roles: - Ref: MyIAMRole MyIAMRole: Type: AWS::IAM::Role Properties: RoleName: MyRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole
In this CloudFormation template:
- We create a custom IAM policy named
CustomIPPolicy
with the desired IP source conditions specified in thePolicyDocument
. - We create an IAM Role named
MyRole
with theAssumeRolePolicyDocument
specifying the service (in this case, EC2) that can assume this role. - We attach the custom policy
CustomIPPolicy
to the IAM RoleMyRole
.
Make sure to replace "192.0.2.0/24"
with the IP range(s) you want to allow and "vpc-1234567890abcdef0"
with the VPC ID you want to allow as the source. You can also adjust the actions and resources in the policy statement as per your requirements.
Your example is for inline policy. I was looking for a solution for a Role with AWS managed policy without any inline policy. I used Deny Effect with NotIPAddress condition for the allowed IP addresses on all Actions and Resources to fix it.
Thanks for your help though. I appreciate!
Hi
Here you can check information of source ip https://repost.aws/knowledge-center/iam-restrict-calls-ip-addresses
Policy CFT Manged - https://repost.aws/knowledge-center/cloudformation-attach-managed-policy
IAM Role with Custom Policy - https://gist.github.com/evnm/e4769f8a5735b9bad62ea209ff14fae2
Relevant content
- Accepted Answer
- Accepted Answerasked 3 years ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
I submitted an answer, hope it helps!