AWS deny access to VPC

2019-07-15 00:27发布

站内问答 / 移动开发
542 2 4

We have a few users which basically have access to everything using the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Is there a way to restrict access to selected VPCs?

I have tried creating the following policy and attach it to the user (via a group):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1504660000000",
            "Effect": "Deny",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>"
            ]
        }
    ]
}

I have replaced <REGION> <ACCOUNT-ID> and <VPC-ID>".

The policy simulator denies access (StartInstances, StopInstances, etc.) correctly. Nevertheless a user with this policy attached can still create EC2 instances within the vpc.

  1. Why does my policy not deny access to the VPC? As far as I know "Deny" overwrites "Allow".

  2. What is the correct way of achieving this? I have read through this and this but don't understand how it would restrict access.

2条回答
混吃等死
2楼-- · 2019-07-15 01:07

Here, you don`t want to give the permission to ec2 inside one VPC. So, you should consider vpc as a condition and resource as ec2.

Look at the code below - 

{
  "Effect": "Deny",
  "Action": "ec2:*",
  "Resource": "arn:aws:ec2:region:account:subnet/*",
    "Condition": {
     "StringEquals": {
        "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
        }
   }
}

Explanation - Here we are denying the permissions to ec2 which are under a specific vpc. Here I have added subnet in ec2, it is optional. You may add if required.

查看更多
0人赞 添加讨论(0) 举报
做自己的国王
3楼-- · 2019-07-15 01:08

It's a tricky one. You have to refer and include all actions including recources which supports the ec2:Vpc condition and deny the API actions. For other actions, you have to find conditions which are common in API actions and include those actions in separate statement blocks and deny those by other means e.g. using tags or something else.

Also, as the users have AdministratorAccess, you have to make sure that the user's cannot detach this Deny policy and escalate the privilege.

For other service which uses VPC e.g. RDS, it is not possible.

[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)