1. 技术文章
  2. AWS deny access to VPC

AWS deny access to VPC

♀尐吖头ヾ 提交于 2019-12-11 01:14:17

问题


We have a few users which basically have access to everything using the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Is there a way to restrict access to selected VPCs?

I have tried creating the following policy and attach it to the user (via a group):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1504660000000",
            "Effect": "Deny",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>"
            ]
        }
    ]
}

I have replaced <REGION> <ACCOUNT-ID> and <VPC-ID>".

The policy simulator denies access (StartInstances, StopInstances, etc.) correctly. Nevertheless a user with this policy attached can still create EC2 instances within the vpc.

  1. Why does my policy not deny access to the VPC? As far as I know "Deny" overwrites "Allow".

  2. What is the correct way of achieving this? I have read through this and this but don't understand how it would restrict access.


回答1:


It's a tricky one. You have to refer and include all actions including recources which supports the ec2:Vpc condition and deny the API actions. For other actions, you have to find conditions which are common in API actions and include those actions in separate statement blocks and deny those by other means e.g. using tags or something else.

Also, as the users have AdministratorAccess, you have to make sure that the user's cannot detach this Deny policy and escalate the privilege.

For other service which uses VPC e.g. RDS, it is not possible.

[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html




回答2:


Here, you don`t want to give the permission to ec2 inside one VPC. So, you should consider vpc as a condition and resource as ec2.

Look at the code below - 

{
  "Effect": "Deny",
  "Action": "ec2:*",
  "Resource": "arn:aws:ec2:region:account:subnet/*",
    "Condition": {
     "StringEquals": {
        "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
        }
   }
}

Explanation - Here we are denying the permissions to ec2 which are under a specific vpc. Here I have added subnet in ec2, it is optional. You may add if required.



来源:https://stackoverflow.com/questions/46065944/aws-deny-access-to-vpc

标签
amazon-web-services
amazon-ec2
amazon-iam
amazon-vpc
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!