AWS IAM POLICY EXAMPLES

2023-06-08 435 words 3 minutes

Contents

Restrict all AWS API calls

In this example, the IAM policy rule allows the s3:GetObject action on objects within the “example-bucket” S3 bucket, but only if the request originates from an IP address within the range 192.0.2.0/24.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}

AWS S3 Bucket Policy Restrict IP

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}

AWS S3 Force HTTPS Connection with Bucket Policy

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    }
  ]
}

Top 20 commonly used AWS IAM policy conditions:

aws:CurrentTime - Restricts access based on the current time of day.  
aws:SourceIp - Restricts access based on the source IP address of the request.  
aws:SourceVpc - Restricts access based on the source VPC ID of the request.  
aws:SecureTransport - Restricts access based on whether the request is made over a secure SSL/TLS connection.  
aws:UserAgent - Restricts access based on the user agent of the requester.  
aws:RequestTag/<tag-key> - Restricts access based on the presence and value of specific tags on the request.  
aws:PrincipalTag/<tag-key> - Restricts access based on the presence and value of specific tags on the IAM principal.  
aws:MultiFactorAuthPresent - Restricts access based on whether multi-factor authentication is present.  
aws:RequestedRegion - Restricts access based on the AWS region of the request.  
aws:RequestedAccount - Restricts access based on the AWS account ID of the request.  
aws:SourceArn - Restricts access based on the ARN (Amazon Resource Name) of the request.  
aws:SecureTransport - Restricts access based on whether the request is made over a secure SSL/TLS connection.  
aws:Service - Restricts access based on the AWS service being accessed.  
aws:ArnLike - Restricts access based on the pattern of the ARN (Amazon Resource Name).  
aws:PrincipalType - Restricts access based on the type of IAM principal (e.g., User, Role, Group).  
aws:SourceAccount - Restricts access based on the AWS account ID of the source.  
aws:Referer - Restricts access based on the referer header of the request.  
aws:SourceTag - Restricts access based on specific tags present in the request.  
aws:IncomingData - Restricts access based on the incoming data size of the request.  
aws:RequestTimeEpoch - Restricts access based on the epoch time of the request.