1

I want to block all user access to almost all aws regions. You cant "disable" a region that is enabled by default. Also I am aware of permissions that are account level and cant be restricted regionally.

I dont want to have to add a policy like this to every user/role/group

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "eu-west-1",
                        "eu-west-2",
                        "eu-west-3"
                    ]
                }
            }
        }
    ]
}

You cant nest groups. So I cant have a toplevel group I put all other groups in that has this policy.

You cant add roles to groups. So for my SAM templates for my serverless apps do I have to add this policy to all of them? They dynamically create a unique role and policy for each app (and I want to keep it that way)

Is there any way at all to enforce a policy for all users and roles in an account? I must be missing something because this seems like a pita to manage.

In Active Directory we could just apply policies at the OU/domain/site/etc level easily. It feels like a basic feature of a security and identity platform

Is there a way to apply this policy at my AWS organization level?

red888
  • 4,183
  • 18
  • 64
  • 111

1 Answers1

2

Service Control Policies do exactly what you've asked for. You can block regions, but beware some services are global so need to be whitelisted. For example IAM, WAF, Route53, CloudFront, some parts of S3 need to be whitelisted to run outside the permitted regions.

The AWS Service Control Policy Example page has this as the first example as it's the most common use case for SCPs. This policy denies regions outside the two listed, it's easy to change

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideEU",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-marketplace:*",
                "aws-portal:*",
                "awsbillingconsole:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "config:*",
                "cur:*",
                "directconnect:*",
                "ec2:DescribeRegions",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnGateways",
                "fms:*",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "kms:*",
                "mobileanalytics:*",
                "networkmanager:*",
                "organizations:*",
                "pricing:*",
                "route53:*",
                "route53domains:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "s3:PutAccountPublic*",
                "shield:*",
                "sts:*",
                "support:*",
                "trustedadvisor:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1"
                    ]
                },
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
                        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
                    ]
                }
            }
        }
    ]
}
Tim
  • 31,888
  • 7
  • 52
  • 78
  • perfect. now NotAction here is only required `Because global services have endpoints that are physically hosted by the us-east-1 Region`. Does this mean that if us-east-1 is one of the regions I want to allow (which it actually is) I can remove the whole NotAction thing from this policy because `us-east-1` will be one of the `aws:RequestedRegion` conditions. Is this correct? – red888 Dec 16 '20 at 17:21
  • Nope, don't touch the NotAction. The only things you should change are the regions listed (which are a whitelist) and adding any additional services you want to run in any region. If you want to understand what NotAction does you should read the IAM Policy documentation. – Tim Dec 16 '20 at 18:53