Switch Role on Windows10 Fails with AWS Source IP

Question

When a user on Windows 10 tries to switch roles in AWS it fails with

Failed authentication

We have a Condition in our sts:AssumeRole policy to only allow the role to switch if the user is coming from a white-listed IP address. Those addresses correspond to our NAT IP's. The user googles "what's my IP" and it returns the NAT IP we expect to see.

What's peculiar is the IP address in the CloudTrail logs is not our NAT IP. It is owned by AWS.

We have tried this in Chrome and Firefox with the same result. What I expect to happen is the user switches roles without an issue.

This issue does not occur when using Windows7 or MacOS.

Thoughts?

Answer 1

That address 76.223.160.183 is not AWS address. It doesn't show up in any advertised AWS range in any region. Verified with filter-ip-ranges.

Although the IP block is owned by by Amazon the relevant 76.223.160.0/21 was delegated to Netskope Inc, check your whois output again. From the Wikipedia article about Netskope:

Netskope [...] helps companies protect data and protect against threats in cloud applications, cloud infrastructure, and the web. [...] The solution steers cloud and Web traffic to a cloud-native service for the purposes of inspection and policy enforcement.

So my conclusion is that the Windows 10 laptop has some sort of Netskope service or plugin installed that redirects some traffic to Netskope servers for inspection. From there it's forwarded to AWS but as it comes from Netskope IP range it fails your IAM Condition.

BTW Why it doesn't interfere with "what's my IP" I'm not sure, probably some whitelist in the plugin.

Hope that helps :)