Region Based IAM Policy example

Taegu KangTaegu Kang
1 min read
  • outline

Events thats

Events that occur or resources that are created in regions that are not in use often lead to security incidents or unnecessary charges. Therefore, it is safe to control permissions in regions other than the region being used. Below is an AdministratorAccess Policy Example that controls all regions except the region in use (ap-northeast-1).

  • AdministratorAccessOnlySeoul
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:*",
                "route53:*",
                "iam:*",
                "support:*",
                "access-analyzer:*",
                "route53domains:*",
                "sso:*",
                "sso-directory:*",
                "rolesanywhere:*",
                "rds-db:*",
                "elemental-support-cases:*",
                "elemental-support-content:*",
                "supportapp:*",
                "supportplans:*",
                "ce:*",
                "cur:*",
                "billing:*",
                "billingconductor:*",
                "aws-portal:*",
                "consolidatedbilling:*",
                "s3:*",
                "s3-object-lambda:*",
                "s3-outposts:*",
                "budgets:*",
                "organizations:*",
                "globalaccelerator:*",
                "directconnect:*",
                "fms:*",
                "waf:*",
                "waf-regional:*",
                "wafv2:*",
                "shield:*",
                "arc-zonal-shift:*",
                "route53-recovery-cluster:*",
                "route53-recovery-control-config:*",
                "route53-recovery-readiness:*",
                "route53resolver:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "ap-northeast-2"
                    ]
                }
            }
        }
    ]
}
  • 비고

Global Based services need permission for us-east-1. Below is global based AWS services.
AWS Identity and Access Management(IAM), AWS Organizations, Amazon CloudFront, Amazon Route53, AWS Global Accelerator, AWS Direct Connect, AWS Firewall Manager, AWS Web Application Firewall(WAF), AWS Shield, Amazon S3, AWS Cost Explorer, AWS Billing, AWS Budget

  • reference

https://ktg0210.hashnode.dev/global-based-aws-service-not-region-based

0
Subscribe to my newsletter

Read articles from Taegu Kang directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Taegu Kang
Taegu Kang