AWS管理コンソールへのグローバルIP制限といっても、ログインを制限することはできません。
ログイン後に何も権限を与えないことができる設定になります。
ログイン後にEC2のインスタンス情報など何も見えなくなる設定です。
※グローバルIPだけの制御になります。ローカルIP(例:192.168.100.0/24)のみにすると有効ではないとでます。
例1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SourceIPRestriction",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"xxx.xxx.xxx.xxx/32",
"yyy.yyy.yyy.yyy/24",
"zzz.zzz.zzz.zzz/zz"
]
}
}
}
]
}
例2
LambdaやSecrets Managerの問題に対応する場合
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SourceIPRestriction",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"xxx.xxx.xxx.xxx/32",
"yyy.yyy.yyy.yyy/24",
"zzz.zzz.zzz.zzz/zz"
]
},
"StringNotEquals": {
"kms:ViaService": [
"secretsmanager.ap-northeast-1.amazonaws.com",
"lambda.ap-northeast-1.amazonaws.com"
]
}
}
}
]
}
作成したIP制限ポリシーをロールかグループかユーザに割り当てます。
IAM: IAM ユーザーに MFA デバイスの自己管理を許可する - AWS Identity and Access Management
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListActions",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::*:mfa/*",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
AWS IAMユーザにMFA必須ポリシーを当てる - Qiita
CLIを叩くときにもMFAを使わないといけなくなってしまいます。
コンソールログインとCLI用のアカウントを分けましょう。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:CreateVirtualMFADevice",
"iam:ListMFADevices",
"iam:GetUser",
"iam:ChangePassword",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ListMFADevices",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
},
{
"Effect": "Deny",
"Action": [
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"NotResource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
],
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudfront:Get*",
"cloudfront:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudfront:UpdateDistribution",
"cloudfront:CreateInvalidation"
],
"Resource": "arn:aws:cloudfront::12345678912345:distributiion/AAAAAAAAAAA"
}
]
}