setting up IAM User regional control (IAM Permission boundary)

Photo by Jan Canty on Unsplash

setting up IAM User regional control (IAM Permission boundary)

AWS/AWS Identity and Access Management

  • outline

There are several ways to control IAM Users by region by applying the information covered in "https://ktg0210.hashnode.dev/region-based-iam-policy-example", but the simplest way is to set an IAM permission boundary.

  • policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:*",
                "route53:*",
                "iam:*",
                "support:*",
                "access-analyzer:*",
                "route53domains:*",
                "sso:*",
                "sso-directory:*",
                "rolesanywhere:*",
                "rds-db:*",
                "elemental-support-cases:*",
                "elemental-support-content:*",
                "supportapp:*",
                "supportplans:*",
                "ce:*",
                "cur:*",
                "billing:*",
                "billingconductor:*",
                "aws-portal:*",
                "consolidatedbilling:*",
                "s3:*",
                "s3-object-lambda:*",
                "s3-outposts:*",
                "budgets:*",
                "organizations:*",
                "globalaccelerator:*",
                "directconnect:*",
                "fms:*",
                "waf:*",
                "waf-regional:*",
                "wafv2:*",
                "shield:*",
                "arc-zonal-shift:*",
                "route53-recovery-cluster:*",
                "route53-recovery-control-config:*",
                "route53-recovery-readiness:*",
                "route53resolver:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "ap-northeast-2"
                    ]
                }
            }
        }
    ]
}
  • how-to-set-up

choose IAM User
\>> Permissions
\>>> Permission boundary, Set permission boundary
\>>>> choose Permissions policies above
\>>>>> Set boundary

  • note

Using example policy from "https://ktg0210.hashnode.dev/region-based-iam-policy-example", you can only use ap-northeast-1 region.

  • reference

https://docs.aws.amazon.com/ko_kr/IAM/latest/UserGuide/access_policies_boundaries.html https://ktg0210.hashnode.dev/region-based-iam-policy-example