Scope:
- Core Concept: IAM Policy Conditions,
- AwsSourceIP — Restrict by Caller’s IP Address,
- AwsRequestedRegion — Restrict Target Region of API Call,
- SourceIp vs RequestedRegion Comparison Table,
- Combined Example — Network + Region Restriction (Defense in Depth),
- Best Practices,
- Visualization (Diagrams)
Core Concept:
IAM Policy Conditions
IAM Condition keys refine
permissions by evaluating specific attributes (context)
of the API request — like:
- Where it came from (SourceIp)
- Which region it targets (RequestedRegion)
- Who made it (aws:PrincipalArn)
- When it occurred (aws:CurrentTime)
twtech can use these keys in IAM
Policies, SCPs (Service Control Policies), or Permission Boundaries.
1. AwsSourceIP
— Restrict by Caller’s IP Address
Purpose:
Controls where the API call originates from (the network source of
the caller).
Used to ensure API requests only
come from:
- Specific on-prem or corporate networks
- Known VPN or bastion IPs
- Cloud infrastructure (like AWS VPC Endpoints or CIDR ranges)
How it works:
When an IAM principal calls an AWS API
(via CLI, SDK, or console), AWS captures the public IP address of the
request source.
NB:
This
value is compared to the condition in twech policy.
twtechExample
Policy — Allow Only Specific IP Ranges
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotIpAddressIfExists": {
"aws:SourceIp": [
"203.0.113.0/24",
"198.51.100.0/24"
]
},
"Action": "*",
"Resource": "*"
}
]
}
# Meaning:
- Any API request not coming from those CIDRs will be denied.
- Works in both IAM policies and SCPs.
Caveats (limitation or condition):
|
Limitation |
Description |
|
|
π NAT & VPN |
Requests via NAT or proxy may appear
to come from a single IP. |
|
|
π« VPC Endpoint Calls |
Calls from AWS PrivateLink / VPC
endpoints show AWS internal IPs (use aws:VpcSourceIp
or aws:SourceVpce instead). |
|
|
π» Console Access |
Console requests go through AWS
front-end IPs, so IP filtering may break console access. |
|
|
☁️ Multi-Region |
IP restriction applies globally —
doesn’t vary per region. |
|
π 2. AwsRequestedRegion
— Restrict
Target Region of API Call
Purpose:
Controls where the API call is being made to
— the AWS Region that the API operation
targets.
Useful for:
- Enforcing data residency (e.g., only use us-east-2)
- Restricting deployment sprawl
across regions
- Compliance and governance guardrails in
multi-account orgs
How it works:
Every AWS API call targets a region —
e.g., ec2.amazonaws.com in us-west-2.
The condition key aws:RequestedRegion
reflects that region and can be evaluated in IAM or SCPs.
twtechExample
SCP — Deny API Calls Outside Allowed Regions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "twtechDenyAccessOutsideApprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
# Meaning:
- Any API call made to another
region (e.g., eu-west-1) is denied.
- Excellent for organization-wide
regional control via SCPs.
Caveats
(limitation or condition):
|
Limitation |
Description |
|
π§Ύ Global Services |
Doesn’t apply to global services
like IAM, CloudFront, Route53, etc. |
|
π Cross-Region APIs |
Some services (like S3) can make
cross-region calls; behavior can vary. |
|
πͺ Console UX |
The AWS console may show partial
errors when regions are blocked. |
3. SourceIP vs RequestedRegion Comparison Table
|
Aspect |
AwsSourceIP |
AwsRequestedRegion |
|
What it restricts |
Originating IP of the request |
AWS Region targeted by the API call |
|
Primary Use Case |
Network-level access control |
Data residency and governance |
|
Typical Scope |
IAM or SCP |
Primarily SCP |
|
Applies To |
All AWS APIs (except console proxy nuance) |
Region-scoped APIs |
|
Useful for |
Locking API usage to corporate/VPN
IPs |
Restricting deployments to certain
regions |
|
Global Services Impact |
Works globally |
Has no effect on global services |
|
Common Pairing |
aws:SourceVpce for VPC Endpoint
control |
aws:RequestedService for finer
control |
|
Policy Type Example |
IAM Condition: IpAddress |
SCP Condition: StringEquals |
|
Example Scenario |
Deny requests not from company IP |
Deny operations outside us-east-1 |
4. Combined
Example — Network + Region Restriction (Defense in Depth)
NB:
twtech can combine both
conditions for layered control.
twtechExample SCP — Deny API Calls from UnTrusted Sources (IP and Region)
# json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "twtechDenyIfNotTrustedIPorRegion",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:ViaAWSService": "false"
},
"StringNotEqualsIfExists": {
"aws:RequestedRegion": ["us-east-1", "us-west-2"]
},
"NotIpAddressIfExists": {
"aws:SourceIp":
["203.0.113.0/24", "198.51.100.0/24"]
}
}
}
]
}
Result:
- Requests
must come from allowed IPs and
target allowed regions.
- Denies all
other requests — even if the principal has IAM permissions.
5. Best
Practices
· Use SCPs for org-wide
enforcement:
Apply aws:RequestedRegion and aws:SourceIp conditions in Service Control
Policies at the OU or account level.
· Combine with aws:SourceVpce for
internal traffic enforcement:
This helps enforce VPC-only access (instead of relying on public IPs).
· Test in “Allow” mode first:
Start with a logging or Allow policy to evaluate which APIs and
IPs are in use before applying a Deny.
· Document allowed IPs and regions
centrally:
Keep these values parameterized (e.g.,
via AWS Config or Control Tower guardrails).
Visualization (Diagram)
Request Path Evaluation text
diagram:
[User / App]
│
├── Source IP (e.g., 203.0.113.45)
│
▼
[AWS API Gateway / Service Endpoint]
│
├── Evaluates aws:SourceIp → Must match allowlist
│
├── Evaluates aws:RequestedRegion → Must be in allowed region set
│
▼
[Authorized AWS API Execution]
No comments:
Post a Comment