Restrict IAM users to a single VPC

Question

I have two VPC in my account. One for Test and other for Prod environment.

I am trying to setup IAM user accounts for developers, with permission boundaries, so that deve

Answer 1

What I get is you are trying to restrict users to the services which are under a particular VPC. I did the same thing for allowing users to update Lambda functions which are inside a particular VPC only. This can be done like below:

{
  "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllResources",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Sid": "DenyLambdaUpdatIfNotInsideVPC",
            "Effect": "Deny",
            "Action": [
                "lambda:CreateFunction",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "lambda:VpcIds": "your vpc id"
                }
            }
        }
    ]
}

In this way you can restrict users from accessing the resources which are outside your VPC by writing services and their specific actions in the deny statement.

Answer 2

An Amazon VPC is a virtual network.

It is not possible to control access to a network based on "users" because the network has no knowledge of users. It can only control traffic by IP address and protocol.

If you want developers to be able to login to instances in Test environment, but not a Prod environment, you would either need to control access on the instances themselves (eg when they login to an EC2 instance), or control access to the network (eg by controlling access to a VPN connection or having developers access resources on a network with a known IP address range).

This is exactly the same as controlling access on a corporate network — developers could be placed on a network that has access to Test resources, while Sys Admins could be placed on a network that has access to Prod resources. This has to do with how their computer is connected to the network, rather than "who" they are.

If, instead, your goal is to restrict the Dev's ability to create/change resources in a VPC, then this can be done by adding conditions a IAM policies. For example, granting them the ability to launch an EC2 instance but only in the Test VPC.

See: How to Help Lock Down a User’s Amazon EC2 Capabilities to a Single VPC | AWS Security Blog