3

I'm trying to create an AWS IAM Policy that gives access to everything that a Power User has (arn:aws:iam::aws:policy/PowerUserAccess) but only in a specific region.

I started with the existing Power User policy and found this article: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_region.html

So I added the "condition" to the Power User Policy and the result is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "NotAction": [
                "iam:*",
                "organizations:*",
                "account:*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-2"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:DeleteServiceLinkedRole",
                "iam:ListRoles",
                "organizations:DescribeOrganization",
                "account:ListRegions"
            ],
            "Resource": "*"
        }
    ]
}

This does not seem to be working as I can create EC2 instances only in the specified region... but other services are not available: CodePipeline Lambda

Ryan Ferretti
  • 2,891
  • 2
  • 27
  • 37
  • 1
    Have you tried `aws:RequestedRegion` condition? https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion – jellycsc May 13 '20 at 17:40

1 Answers1

3

When you use the ec2:Region in the Condition key, that's EC2 specific

You'll want to try the aws:RequestedRegion for the condition key.

Beware though,

Some global services, such as IAM, have a single endpoint. Because this endpoint is physically located in the US East (N. Virginia) Region, IAM calls are always made to the us-east-1 Region

Give it a try with

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "NotAction": [
                "iam:*",
                "organizations:*",
                "account:*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-east-2"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:DeleteServiceLinkedRole",
                "iam:ListRoles",
                "organizations:DescribeOrganization",
                "account:ListRegions"
            ],
            "Resource": "*"
        }
    ]
}
maafk
  • 6,176
  • 5
  • 35
  • 58