Use IAM conditions to restrict access

Most probably, if you have completed the AWS sign up for more than 2 hours, you have heard about AWS IAM. This service it’s the solution offered by AWS to create users, to assign users to groups and to manage policies, credentials and permissions to others AWS resources.

In this post, we want to present several conditions you can add to an AWS IAM policy to make it stricter, to improve the overall security aspects and to restrict the access. Moreover, if you follow this approach, you lower the risk of accidentally performing privileged actions.

Let’s see a list of conditions you should add to your AWS policy:

  • Allow an action only if the user is authenticated with its MFA device: Some actions could be pretty sensitive and it’s good to make sure the user is authenticated with the MFA device in order to let him doing that action
{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "AllowActionsForEC2WhenMFAIsPresent",
    "Effect": "Allow",
    "Action": "ec2:*",
    "Resource": "*",
    "Condition": {
      "NumericGreaterThan": {
        "aws:MultiFactorAuthAge": "0"
      }
    }
  }
}
  • Restrict access if request is not coming over SSL. For example, you can block S3 reads from a bucket if that request is not done using SSL.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1504640908907",
    "Effect": "Deny",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::/*",
    "Condition": {
      "Bool": {
        "aws:SecureTransport": "false"
      }
    }
  }]
}
  • Whitelist only some IPs to perform a given action: for example, only requests done from a sure IP can terminate a Beanstalk environment.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1504640908907",
    "Effect": "Allow",
    "Action": "elasticbeanstalk:TerminateEnvironment",
    "Resource": "*",
    "Condition": {
      "IpAddress": {
        "aws:SourceIp": "32.137.32.160/28"
      }
    }
  }]
}
  • Allow some actions only in a given region: for example, a DynamoDB table can be created only in Dublin
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1504640908907",
    "Effect": "Allow",
    "Action": "dynamodb:create*",
    "Resource": "*",
    "Condition": {
      "StringEquals": {
        "aws:RequestedRegion": "eu-west-1"
      }
    }
  }]
}

Above we discussed only several global conditions. But it’s important to mention that exists many specific conditions for each AWS service. It’s important to say that IAM console is very easy to use and we invite you to browse that list whenever you create a new IAM policy.

We hope you’ll consider these conditions for your next IAM policies. If you have other ideas how to improve security using IAM conditions, let a comment below!

Happy cloud computing!

Leave a Reply

Your email address will not be published. Required fields are marked *