Categories
Technical

How to Allow/Deny AWS IAM User Access based on IP Address?

You need to write condition in IAM User Policy, to allow or deny any specific IP address to access.

I have explained the steps to write Policy under the IAM users in this article.

You have to follow the same steps which provided in the above article and additionally you should write condition to allow/deny permission based on Source IP address.

Condition to Allow a Specific IP Address, this needs to be added in Policy statement,

"Condition": {
     "IpAddress": {
         "aws:SourceIp": [
             "10.1.0.0/24",
             "12.13.0.48",   
         ]
     }
 }

Condition to Allow a IP Address except the mentioned IP Address, this needs to be added in Policy statement,

"Condition": {
     "NotIpAddress": {
         "aws:SourceIp": [
             "11.1.0.0/24",
             "13.13.0.48",   
         ]
     }
 }

Consider the earlier example in this article,

Here we have written the policy which only provides permission to list all the S3 buckets and allows to access the mentioned S3 Bucket and its inner folders.

Now, we are going to update the existing policy to add another condition which will allow only the specific IP address. Below the complete policy to achieve it,

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "s3:*",             
             "Resource": [                 
                     "arn:aws:s3:::example-bucket",                
                     "arn:aws:s3:::example-bucket/*"
             ],
             "Condition": {
                 "IpAddress": {
                     "aws:SourceIp": [
                         "10.1.0.0/24",
                         "12.13.0.48",   
                     ]
                 }
             }
         },
         {
             "Effect": "Allow",
             "Action": "s3:ListAllMyBuckets",
             "Resource": "arn:aws:s3:::*",
             "Condition": {
                 "IpAddress": {
                     "aws:SourceIp": [
                         "10.1.0.0/24",
                         "12.13.0.48",   
                     ]
                 }
             }
         }
     ]
 }

This Policy does below things,

  1. Allows to list all the S3 Buckets.
  2. Allows to do any action on “example-bucket” S3 Bucket and its inner folders.
  3. a and b can be only done from the source IP address 10.1.0.0/24 and 12.13.0.48.

To allow IP address except some specific IP Addresses, you need to replace the condition “IpAddress” to “NotIpAddress”. Find the above same example with NotIpAddress.

This Policy does allow to access to IAM users from all the IP Address except from the IP Address 11.1.0.0/24 and 13.13.0.48.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "s3:*",             
             "Resource": [                 
                      "arn:aws:s3:::example-bucket",                 
                      "arn:aws:s3:::example-bucket/*"
             ],
             "Condition": {
                 "NotIpAddress": {
                     "aws:SourceIp": [
                         "11.1.0.0/24",
                         "13.13.0.48",   
                     ]
                 }
             }
         },
         {
             "Effect": "Allow",
             "Action": "s3:ListAllMyBuckets",
             "Resource": "arn:aws:s3:::*",
             "Condition": {
                 "NotIpAddress": {
                     "aws:SourceIp": [
                         "11.1.0.0/24",
                         "13.13.0.48",   
                     ]
                 }
             }
         }
     ]
 }

To deny all the AWS action to specific IP address, you can use the below policy under the IAM users.

{
     "Version": "2012-10-17",
     "Statement": {
         "Effect": "Deny",
         "Action": "*",         
         "Resource": "*",
         "Condition": {
             "IpAddress": {
                 "aws:SourceIp": [
                     "11.1.0.0/24",
                     "12.13.0.48"
                 ]
             }
         }
     }
}

To allow all the AWS action to specific IP address only, you can use the below policy under the IAM users,

Allow Permission with IpAddress condition:

{
     "Version": "2012-10-17",
     "Statement": {
         "Effect": "Allow",
         "Action": "*",        
         "Resource": "*",
         "Condition": {
             "IpAddress": {
                 "aws:SourceIp": [
                     "10.1.0.0/24",
                     "12.13.0.48"
                 ]
             }
         }
     }
 }

Deny Permission with NotIpAddress condition:

{
     "Version": "2012-10-17",
     "Statement": {
         "Effect": "Deny",
         "Action": "*",         
         "Resource": "*",
         "Condition": {
             "NotIpAddress": {
                 "aws:SourceIp": [
                     "10.1.0.0/24",
                     "12.13.0.48"
                 ]
             }
         }
     }
 }

Leave a Reply

Your email address will not be published. Required fields are marked *