You can now use aws:RequestedRegion as a global condition key to control which regions your users can make calls to, regardless of whether the AWS underlying service supports region-level controls or not.
For IAM-policies to work, they need to be attached to a role, group or user. (order of preference)
IAM-policy Examples
Limit API Access for users and services to EU-Region-only and global
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideEU",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1",
"eu-west-2",
"eu-west-3"
]
}
}
}
]
}
Limit API Access for users and services to EU-Region-only and global
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideEU",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1",
"eu-west-2",
"eu-west-3"
]
}
}
}
]
}This snippet limits API region based requests to eu-central-1 plus eu-west-1, eu-west-2 and eu-west-3
The statement is build out of a "deny" to "all" with the condition: "aws:RequestedRegion": and a comma-delimited array of [ "AWS::Region" ]. The AWS::Region can be found/looked up in the table below.
There are some issues with cloudfront/acm potentially when working with certificates as one needs to access resources from us-east-1. You might need to add an exception of ACM into the condition
Region Table
| Region | Name | AWS::Region |
|---|---|---|
| US East 1 | N. Virginia | us-east-1 |
| US East 2 | Ohio | us-east-2 |
| US West 1 | N. California | us-west-1 |
| US West 2 | Oregon | us-west-2 |
| Canada Central 1 | Central | ca-central-1 |
| Asia Pacific South 1 | Mumbai | ap-south-1 |
| Asia Pacific North-East 1 | Tokyo | ap-northeast-1 |
| Asia Pacific North-East 2 | Seoul | ap-northeast-2 |
| Asia Pacific North-East 3 | Osaka-Local | ap-northeast-3 |
| Asia Pacific South-East 1 | Singapore | ap-southeast-1 |
| Asia Pacific South-East 2 | Sydney | ap-southeast-2 |
| China North 1 | Beijing | cn-north-1 |
| China North-West 1 | Ningxia | cn-northwest-1 |
| EU Central 1 | Frankfurt | eu-central-1 |
| EU West 1 | Ireland | eu-west-1 |
| EU West 2 | London | eu-west-2 |
| EU West 3 | Paris | eu-west-3 |
| South America East 1 | Sao Paulo | sa-east-1 |
For more information: See Reference Policy Conditions
Cloudformation - YAML
Description: Managed Policies Examples
AWSTemplateFormatVersion: '2010-09-09'
Metadata:
Version: 0.1
Author: Angelique Dawnbringer
Changes: initial commit - Added gov-policy-restrict-to-eu-access
Email: angelique.dawnbringer.net
Phone: +46727043617
Resources:
GovEUonlyPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: gov-policy-restrict-api-to-eu-v0.1
Description: Policy that restricts API access to EU-based resources and APIs only # https://www.dawnbringer.net/blog/1057/AWS:%20Limit%20API%20Access
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: DenyAllOutsideEU
Effect: Deny #explicit deny to force all non-eu. This will "hurt" cloudfront potentially. Needs checking / consideration
Action:
- '*'
Resource:
- '*'
Condition:
StringNotEquals:
'aws:RequestedRegion':
- 'eu-central-1' # Frankfurt
- 'eu-west-1' # Ireland
- 'eu-west-2' # London
- 'eu-west-3' # Paris
Outputs:
GovEUonlyPolicy:
Value: !Ref GovEUonlyPolicy
Description: ARN of the policy
Export: # optional
Name: !Sub '${AWS::StackName}-GovEUonlyPolicy'