Scope:
- Intro,
- Implementation Strategies,
- Policy Sample (Deny Outside Specified Parameters),
- Key Considerations to Deny Policy Outside Specified Parameters,
- Core Concept of IAM Policy Conditions,
- AwsSourceIP Restrict by Caller’s IP Address,
- Sample Policy that Allows Only Specific IP Ranges
- AwsRequestedRegion that Restricts Target Region of API Calls,
- Limitation or condition
- SourceIp vs RequestedRegion Comparison Table,
- Combined Sample Policy of Network + Region Restriction (Defense in Depth),
- Sample SCP that Deny API Calls from UnTrusted Sources (IP and Region),
- Result (explanation of policy),
- Best Practices,
- Visualization (Diagram) Request Path Evaluation.
Intro:
- aws:SourceIp: Restricts requests to specific public IP address ranges.
- aws:RequestedRegion: Restricts requests based on the AWS Region to which the API call is made.
- Explicit Deny: Most secure for broad restrictions. Denies all actions if the condition is not met, regardless of other permissions.
- Contextual Allow: Grants permissions only when the request comes from a specific IP and targets a specific region.
- Global Services: Restricting by region can break global services like IAM, Route 53, and CloudFront because they often use the
us-east-1endpoint. - AWS Service Calls: Using
aws:SourceIpcan block AWS services (like CloudFormation) that act on twtech behalf. - Use the aws:ViaAWSService key to allow these services while still restricting direct user access.
- VPC Endpoints: The
aws:SourceIpkey is generally not available for requests made through VPC endpoints; useaws:VpcSourceIporaws:SourceVpcinstead.
Core Concept of IAM Policy Conditions
- Restrict aws SourceIP & aws RequestedRegion is the part of IAM policy conditions that enforces Geo and Network-level governance in AWS environments.
- IAM Condition keys refine permissions by evaluating specific attributes (context) of the API request — like:
- Where it came from (SourceIp)
- Which region it targets (RequestedRegion)
- Who made it (aws:PrincipalArn)
- When it occurred (aws:CurrentTime)
NB:
twtech can use these keys in IAM Policies, SCPs (Service Control Policies), or Permission Boundaries.
1. AwsSourceIP Restrict by Caller’s IP Address
Purpose:
- Controls where the API call originates from (the network source of the caller).
- Used to ensure API requests only come from:
- Specific on-prem or corporate networks
- Known VPN or bastion IPs
- Cloud infrastructure (like AWS VPC Endpoints or CIDR ranges)
How it works:
When an IAM principal calls an AWS API
(via CLI, SDK, or console), AWS captures the public IP address of the
request source.
NB:
This
value is compared to the condition in twech policy.
twtech-Sample
Policy that Allows Only Specific IP Ranges
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotIpAddressIfExists": {
"aws:SourceIp": [
"203.0.113.0/24",
"198.51.100.0/24"
]
},
"Action": "*",
"Resource": "*"
}
]
}
# Meaning:
- Any API request not coming from those CIDRs will be denied.
- Works in both IAM policies and SCPs.
Caveats (limitation or condition):
|
Limitation |
Description |
|
|
🌐 NAT & VPN |
Requests via NAT or proxy may appear
to come from a single IP. |
|
|
🚫 VPC Endpoint Calls |
Calls from AWS PrivateLink / VPC
endpoints show AWS internal IPs (use aws:VpcSourceIp
or aws:SourceVpce instead). |
|
|
💻 Console Access |
Console requests go through AWS
front-end IPs, so IP filtering may break console access. |
|
|
☁️ Multi-Region |
IP restriction applies globally —
doesn’t vary per region. |
|
🌎 2. AwsRequestedRegion that RestrictsTarget Region of API Call
Purpose:
Controls where the API call is being made to
— the AWS Region that the API operation
targets.
Useful for:
- Enforcing data residency (e.g., only use us-east-1)
- Restricting deployment sprawl across regions
- Compliance and governance guardrails in multi-account orgs
How it works:
- Every AWS API call targets a region — e.g., ec2.amazonaws.com in us-west-2.
- The condition key aws:RequestedRegion reflects that region and can be evaluated in IAM or SCPs.
twtechSample
SCP that Deny API Calls Outside Allowed Regions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "twtechDenyAccessOutsideApprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
# Meaning:
- Any API call made to another region (e.g., eu-west-1) is denied.
- Excellent for organization-wide regional control via SCPs.
Limitation or condition:
|
Limitation |
Description |
|
🧾 Global Services |
Doesn’t apply to global services
like IAM, CloudFront, Route53, etc. |
|
🌐 Cross-Region APIs |
Some services (like S3) can make varying behaviour for cross-region calls. |
|
🪄 Console UX |
The AWS console may show partial
errors when regions are blocked. |
3. SourceIP vs RequestedRegion Comparison Table
|
Aspect |
AwsSourceIP |
AwsRequestedRegion |
|
What it restricts |
Originating IP of the request |
AWS Region targeted by the API call |
|
Primary Use Case |
Network-level access control |
Data residency and governance |
|
Typical Scope |
IAM or SCP |
Primarily SCP |
|
Applies To |
All AWS APIs (except console proxy nuance) |
Region-scoped APIs |
|
Useful for |
Locking API usage to corporate/VPN
IPs |
Restricting deployments to certain
regions |
|
Global Services Impact |
Works globally |
Has no effect on global services |
|
Common Pairing |
aws:SourceVpce for VPC Endpoint
control |
aws:RequestedService for finer
control |
|
Policy Type Example |
IAM Condition: IpAddress |
SCP Condition: StringEquals |
|
Example Scenario |
Deny requests not from company IP |
Deny operations outside us-east-1 |
4. Combined Sample of Network + Region Restriction (Defense in Depth)
NB:
twtech can combine both conditions for layered control.
twtech-Sample SCP that Deny API Calls from UnTrusted Sources (IP and Region)
# json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "twtechDenyUnTrustedIPAndRegion",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:ViaAWSService": "false"
},
"StringNotEqualsIfExists": {
"aws:RequestedRegion": ["us-east-1", "us-west-2"]
},
"NotIpAddressIfExists": {
"aws:SourceIp":
["203.0.113.0/24", "198.51.100.0/24"]
}
}
}
]
}
Result (explanation of policy)
- Requests
must Only come from above listed IPs and regions.
- Denies all other requests — even if the principal has IAM permissions.
5. Best
Practices
· Use SCPs for org-wide
enforcement:
- Apply aws:RequestedRegion and aws:SourceIp conditions in Service Control Policies at the OU or account level.
· Combine with aws:SourceVpce for
internal traffic enforcement:
- This helps enforce VPC-only access (instead of relying on public IPs).
· Test in “Allow” mode first:
- Start with a logging or Allow policy to evaluate which APIs and IPs are in use before applying a Deny.
· Document allowed IPs and regions
centrally:
- Keep these values parameterized (e.g., via AWS Config or Control Tower guardrails).
Visualization (Diagram) Request Path Evaluation :
No comments:
Post a Comment