setting up IAM User regional control (IAM Permission boundary)
AWS/AWS Identity and Access Management
- outline
There are several ways to control IAM Users by region by applying the information covered in "https://ktg0210.hashnode.dev/region-based-iam-policy-example", but the simplest way is to set an IAM permission boundary.
- policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudfront:*",
"route53:*",
"iam:*",
"support:*",
"access-analyzer:*",
"route53domains:*",
"sso:*",
"sso-directory:*",
"rolesanywhere:*",
"rds-db:*",
"elemental-support-cases:*",
"elemental-support-content:*",
"supportapp:*",
"supportplans:*",
"ce:*",
"cur:*",
"billing:*",
"billingconductor:*",
"aws-portal:*",
"consolidatedbilling:*",
"s3:*",
"s3-object-lambda:*",
"s3-outposts:*",
"budgets:*",
"organizations:*",
"globalaccelerator:*",
"directconnect:*",
"fms:*",
"waf:*",
"waf-regional:*",
"wafv2:*",
"shield:*",
"arc-zonal-shift:*",
"route53-recovery-cluster:*",
"route53-recovery-control-config:*",
"route53-recovery-readiness:*",
"route53resolver:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1"
]
}
}
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"ap-northeast-2"
]
}
}
}
]
}
- how-to-set-up
choose IAM User
\>> Permissions
\>>> Permission boundary, Set permission boundary
\>>>> choose Permissions policies above
\>>>>> Set boundary
- note
Using example policy from "https://ktg0210.hashnode.dev/region-based-iam-policy-example", you can only use ap-northeast-1 region.
- reference
https://docs.aws.amazon.com/ko_kr/IAM/latest/UserGuide/access_policies_boundaries.html https://ktg0210.hashnode.dev/region-based-iam-policy-example