Security is always important and the first thing before doing something in the cloud. I’m using the IP restriction policy for more than 5 years and I want to share this trick with you. There are two different ways to do it.
You should get a Static IP from your ISP and/or also you can also want to use your VPN IP address.
What is the IP Policy benefit?
The answer is simple. Nobody can access your resources in the cloud if they are not using the specified IPs.
Here is the example if the user logged in without a specific IP address in the IAM Policy. The user can able login but can not see anything about resources and/or information.
This is the example if the user logged in with a specific IP address. Yes, everything looks like okay and the user can see information about resources and other things.
Allow Access if your IPs Match
Here is the IAM IP Policy if you want to give permission to access to your resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessIfIPsMatch",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"ForAnyValue:IpAddress": {
"aws:SourceIp": [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
}
}
]
}
Deny Access if your IPs Don’t Match
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessIfIPsDontMatch",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
}
}
]
}
This IAM policy also affected aws-cli requests and all AWS API calls. The Allow or Deny policy is the same (vice versa!) and you do not have to use both at the same time. I just want to inform you there is more than one way to protect your AWS account.
NOTE: This IAM Policy is just telling you about the IP restriction logic. Please think twice to use this IAM policy on your account and on the production because it allows giving an AdministratorAccess to all of AWS Resources!
Maybe you want to check out my previous blog post about “How to secure your Amazon Web Services account” before applying the IAM IP Policy.
Thank you for reading!
Top comments (1)
Restricting access by IP does not work well for companies with remote employees. Most ISPs in North America do not provide static IPs to residential customers.
Companies that do implement this kind of security force people to go with VPN providers who provide static IPs for ~$30-40/month.
Usually people just go with the cheapest option that defeats the purpose of this whole setup.
It works well when your employees access resources from a static location like a company office, but it completely breaks down with WFH teams