AWS管理コンソールへのグローバルIP制限といっても、ログインを制限することはできません。
ログイン後に何も権限を与えないことができる設定になります。
ログイン後にEC2のインスタンス情報など何も見えなくなる設定です。
※グローバルIPだけの制御になります。ローカルIP(例:192.168.100.0/24)のみにすると有効ではないとでます。
例1
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SourceIPRestriction", "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "xxx.xxx.xxx.xxx/32", "yyy.yyy.yyy.yyy/24", "zzz.zzz.zzz.zzz/zz" ] } } } ] }
例2
LambdaやSecrets Managerの問題に対応する場合
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SourceIPRestriction", "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "xxx.xxx.xxx.xxx/32", "yyy.yyy.yyy.yyy/24", "zzz.zzz.zzz.zzz/zz" ] }, "StringNotEquals": { "kms:ViaService": [ "secretsmanager.ap-northeast-1.amazonaws.com", "lambda.ap-northeast-1.amazonaws.com" ] } } } ] }
作成したIP制限ポリシーをロールかグループかユーザに割り当てます。
IAM: IAM ユーザーに MFA デバイスの自己管理を許可する - AWS Identity and Access Management
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListActions", "Effect": "Allow", "Action": [ "iam:ListUsers", "iam:ListVirtualMFADevices" ], "Resource": "*" }, { "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA", "Effect": "Allow", "Action": [ "iam:ListMFADevices" ], "Resource": [ "arn:aws:iam::*:mfa/*", "arn:aws:iam::*:user/${aws:username}" ] }, { "Sid": "AllowIndividualUserToManageTheirOwnMFA", "Effect": "Allow", "Action": [ "iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice", "iam:EnableMFADevice", "iam:ResyncMFADevice" ], "Resource": [ "arn:aws:iam::*:mfa/${aws:username}", "arn:aws:iam::*:user/${aws:username}" ] }, { "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice" ], "Resource": [ "arn:aws:iam::*:mfa/${aws:username}", "arn:aws:iam::*:user/${aws:username}" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "BlockMostAccessUnlessSignedInWithMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ListUsers", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }
AWS IAMユーザにMFA必須ポリシーを当てる - Qiita
CLIを叩くときにもMFAを使わないといけなくなってしまいます。
コンソールログインとCLI用のアカウントを分けましょう。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:CreateVirtualMFADevice", "iam:ListMFADevices", "iam:GetUser", "iam:ChangePassword", "iam:DeleteVirtualMFADevice" ], "Resource": [ "arn:aws:iam::*:user/${aws:username}", "arn:aws:iam::*:mfa/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "iam:ListUsers", "iam:ListVirtualMFADevices", "iam:GetAccountPasswordPolicy" ], "Resource": "*" }, { "Effect": "Deny", "NotAction": [ "iam:ListUsers", "iam:ListVirtualMFADevices", "iam:ListMFADevices", "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice", "iam:CreateVirtualMFADevice", "iam:DeactivateMFADevice", "iam:ChangePassword", "iam:CreateLoginProfile", "iam:DeleteLoginProfile", "iam:GetLoginProfile", "iam:UpdateLoginProfile" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }, { "Effect": "Deny", "Action": [ "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice", "iam:CreateVirtualMFADevice", "iam:DeactivateMFADevice", "iam:ChangePassword", "iam:CreateLoginProfile", "iam:DeleteLoginProfile", "iam:GetLoginProfile", "iam:UpdateLoginProfile" ], "NotResource": [ "arn:aws:iam::*:mfa/${aws:username}", "arn:aws:iam::*:user/${aws:username}" ], "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudfront:Get*", "cloudfront:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudfront:UpdateDistribution", "cloudfront:CreateInvalidation" ], "Resource": "arn:aws:cloudfront::12345678912345:distributiion/AAAAAAAAAAA" } ] }
一般向けサイト
ITエンジニア向けサイト
英語サイト
Portfolio
Copyright (c) 2024 クラウドのインフラ技術 All Rights Reserved.