Photo by Obi - @pixel8propix on Unsplash
Region Based IAM Policy example
AWS/AWS Identity and Access Management
- outline
Events thats
Events that occur or resources that are created in regions that are not in use often lead to security incidents or unnecessary charges. Therefore, it is safe to control permissions in regions other than the region being used. Below is an AdministratorAccess Policy Example that controls all regions except the region in use (ap-northeast-1).
- AdministratorAccessOnlySeoul
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudfront:*",
"route53:*",
"iam:*",
"support:*",
"access-analyzer:*",
"route53domains:*",
"sso:*",
"sso-directory:*",
"rolesanywhere:*",
"rds-db:*",
"elemental-support-cases:*",
"elemental-support-content:*",
"supportapp:*",
"supportplans:*",
"ce:*",
"cur:*",
"billing:*",
"billingconductor:*",
"aws-portal:*",
"consolidatedbilling:*",
"s3:*",
"s3-object-lambda:*",
"s3-outposts:*",
"budgets:*",
"organizations:*",
"globalaccelerator:*",
"directconnect:*",
"fms:*",
"waf:*",
"waf-regional:*",
"wafv2:*",
"shield:*",
"arc-zonal-shift:*",
"route53-recovery-cluster:*",
"route53-recovery-control-config:*",
"route53-recovery-readiness:*",
"route53resolver:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1"
]
}
}
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"ap-northeast-2"
]
}
}
}
]
}
- 비고
Global Based services need permission for us-east-1. Below is global based AWS services.
AWS Identity and Access Management(IAM), AWS Organizations, Amazon CloudFront, Amazon Route53, AWS Global Accelerator, AWS Direct Connect, AWS Firewall Manager, AWS Web Application Firewall(WAF), AWS Shield, Amazon S3, AWS Cost Explorer, AWS Billing, AWS Budget
- reference
https://ktg0210.hashnode.dev/global-based-aws-service-not-region-based