目次

IAM のよく使うポリシー例



利用例:AWS管理コンソールのグローバルIP制限(ローカルIP制限はできない)

AWS管理コンソールへのグローバルIP制限といっても、ログインを制限することはできません。
ログイン後に何も権限を与えないことができる設定になります。
ログイン後にEC2のインスタンス情報など何も見えなくなる設定です。

※グローバルIPだけの制御になります。ローカルIP(例:192.168.100.0/24)のみにすると有効ではないとでます。

ポリシーの作成

AllowAssumeRoleWithSourceIPRestriction

例1

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SourceIPRestriction",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "xxx.xxx.xxx.xxx/32",
                        "yyy.yyy.yyy.yyy/24",
                        "zzz.zzz.zzz.zzz/zz"
                    ]
                }
            }
        }
    ]
}

例2
LambdaやSecrets Managerの問題に対応する場合

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SourceIPRestriction",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "xxx.xxx.xxx.xxx/32",
                        "yyy.yyy.yyy.yyy/24",
                        "zzz.zzz.zzz.zzz/zz"
                    ]
                },
                "StringNotEquals": {
                    "kms:ViaService": [
                    "secretsmanager.ap-northeast-1.amazonaws.com",
                    "lambda.ap-northeast-1.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

IP制限ポリシーのアタッチ

作成したIP制限ポリシーをロールかグループかユーザに割り当てます。


利用例:IAM ユーザーに MFA デバイスの自己管理を許可する

IAM: IAM ユーザーに MFA デバイスの自己管理を許可する - AWS Identity and Access Management

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListActions",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/*",
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ListUsers",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}


利用例:MFA を必須にする

AWS IAMユーザにMFA必須ポリシーを当てる - Qiita
CLIを叩くときにもMFAを使わないといけなくなってしまいます。
コンソールログインとCLI用のアカウントを分けましょう。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:CreateVirtualMFADevice",
                "iam:ListMFADevices",
                "iam:GetUser",
                "iam:ChangePassword",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}",
                "arn:aws:iam::*:mfa/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListVirtualMFADevices",
                "iam:GetAccountPasswordPolicy"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "NotAction": [
                "iam:ListUsers",
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "NotResource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ],
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}


利用例:請求書確認用のIAMを作る

https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/tutorial_billing.html


利用例:CloudFrontの特定のディストーションのみValidation(キャッシュ無効化)できるようにする

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:Get*",
                "cloudfront:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:UpdateDistribution",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": "arn:aws:cloudfront::12345678912345:distributiion/AAAAAAAAAAA"
        }
    ]
}