How to implement policies that limit the uses of EC2 representative credentials
Today AWS launched two new global condition context keys that make it simpler for you to write policies in which Amazon Elastic Compute Cloud (Amazon EC2) instance credentials work only when used on the instance to which they are issued. These new condition keys are available today in all AWS Regions, as well as AWS GovCloud and China partitions.
<p>Using these new condition keys, you can write <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html" target="_blank" rel="noopener">service control policies (SCPs)</a> or <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener">AWS Identity and Access Management (IAM)</a> policies that restrict the virtual private clouds (VPCs) and private IP addresses from which your EC2 instance credentials can be used, without hard-coding VPC IDs or IP addresses in the policy. Previously, you had to list specific VPC IDs and IP addresses in the policy if you wanted to use it to restrict where EC2 credentials were used. With this new approach, you can use less policy space and reduce the time spent on updates when your list of VPCs and network ranges changes.</p> <p>In this blog post, we will show you how to use these new condition keys in an SCP and a resource policy to help ensure that the IAM role credentials assigned to your EC2 instances can only be used from the instances to which they were issued.</p> <h2>New global condition keys</h2> <p>The two new condition keys are as follows:</p> <ul> <li><span>aws:EC2InstanceSourceVPC</span> — This single-valued condition key contains the VPC ID to which an EC2 instance is deployed.</li> <li><span>aws:EC2InstanceSourcePrivateIPv4</span> — This single-valued condition key contains the primary IPv4 address of an EC2 instance.</li> </ul> <p>These new conditions are available only for use with credentials issued to an EC2 instance. You don’t have to make configuration changes to activate the new condition keys.</p> <p>Let’s start by reviewing some existing IAM conditions and how to combine them with the new conditions. When requests are made to an AWS service over a <a href="https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html" target="_blank" rel="noopener">VPC endpoint,</a> the value of the <span>aws:SourceVpc</span> condition key is the ID of the VPC into which the endpoint is deployed. The value of the <span>aws:VpcSourceIP</span> condition key is the IP address from which the endpoint receives the request. The <span>aws:SourceVpc</span> and <span>aws:VpcSourceIP</span> keys are null when requests are made through AWS public service endpoints. These condition keys relate to dynamic properties of the network path by which your <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html" target="_blank" rel="noopener">AWS Signature Version 4-signed</a> request reached the API endpoint. For a list of AWS services that support VPC endpoints, see <a href="https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html" target="_blank" rel="noopener">AWS services that integrate with AWS PrivateLink</a>.</p> <p>The two new condition keys relate to dynamic properties of the EC2 role credential itself. By using the two new credential-relative condition keys with the existing network path-relative <span>aws:SourceVPC</span> and <span>aws:VpcSourceIP</span> condition keys, you can create SCPs to help ensure that credentials for EC2 instances are only used from the EC2 instances to which they were issued. By writing policies that compare the two sets of dynamic values, you can configure your environment such that requests signed with an EC2 instance credential are denied if they are used anywhere other than the EC2 instance to which they were issued.</p> <h2>Policy examples</h2> <p>In the following SCP example, access is denied if the value of <span>aws:SourceVpc</span> is not equal to the value of <span>aws:ec2InstanceSourceVPC</span>, or if the value of <span>aws:VpcSourceIp</span> is not equal to the value of <span>aws:ec2InstanceSourcePrivateIPv4</span>. The policy uses <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-viaawsservice" target="_blank" rel="noopener">aws:ViaAWSService</a> to allow certain AWS services to take action on your behalf when they use your role’s identity to call services, such as when <a href="https://aws.amazon.com/athena/" target="_blank" rel="noopener">Amazon Athena</a> queries <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener">Amazon Simple Storage Service (Amazon S3)</a>.</p> <div class="hide-language"> <pre class="unlimited-height-code"><code class="lang-text">{“Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Deny”, “Action”: ““, “Resource”: ““, “Condition”: { “StringNotEquals”: { “aws:ec2InstanceSourceVPC”: “${aws:SourceVpc}” }, “Null”: { “ec2:SourceInstanceARN”: “false” }, “BoolIfExists”: { “aws:ViaAWSService”: “false” } } }, { “Effect”: “Deny”, “Action”: ““, “Resource”: ““, “Condition”: { “StringNotEquals”: { “aws:ec2InstanceSourcePrivateIPv4”: “${aws:VpcSourceIp}” }, “Null”: { “ec2:SourceInstanceARN”: “false” }, “BoolIfExists”: { “aws:ViaAWSService”: “false” } } } ]}
Because we encase <span>aws:SourceVpc</span> and <span>aws:VpcSourceIp</span> in “${}” in these policies, they are treated as a <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html" target="_blank" rel="noopener">variable using the value in the request being made</a>. However, in the IAM policy language, the operator on the left side of a comparison is implicitly treated as a variable, while the operator on the right side must be explicitly declared as a variable. The <span>“Null”</span> operator on the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-policy-keys" target="_blank" rel="noopener">ec2:SourceInstanceARN condition key</a> is designed to ensure that this policy only applies to EC2 instance roles, and not roles used for other purposes, such as those used in <a href="https://aws.amazon.com/lambda/" target="_blank" rel="noopener">AWS Lambda</a> functions.</p> <p>The two deny statements in this example form a logical “or” statement, such that either a request from a different VPC or a different IP address evaluates in a deny. But functionally, they act in an “and” fashion. To be allowed, a request must satisfy both the VPC-based and the IP-based conditions because failure of either denies the call. Because VPC IDs are globally unique values, it’s reasonable to use the VPC-based condition without the private IP condition. However, you should avoid evaluating only the private IP condition without also evaluating the VPC condition. Private IPs can be the same across different environments, so <span>aws:ec2InstanceSourcePrivateIPv4</span> is safe to use only in conjunction with the VPC-based condition.</p> <blockquote> <p><strong>Note</strong>: SCPs do not grant IAM permissions; they only remove them. Thus, you must permit your EC2 instances to use AWS services by using IAM policies associated with their roles. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow" target="_blank" rel="noopener">Determining whether a request is allowed or denied within an account</a>.</p> </blockquote> <p>If you have specific EC2 instance roles that you want to exclude from the statement, you can apply exception logic through tags or role names.</p> <p>The following example applies to roles used as EC2 instance roles, except those with a tag of <span>exception-to-vpc-ip</span> where the value is equal to true by using the <span>aws:PrincipalTag</span> condition key. The three condition operators (<span>StringNotEquals</span>, <span>Null</span>, and <span>BoolIfExists</span>) in the same condition block are evaluated with a logical AND operation, and if either of the tests doesn’t evaluate, then the deny statement doesn’t apply. Hence, EC2 instance roles with a principal tag of <span>exception-to-vpc-ip</span> equal to <span>true</span> are not subject to this SCP.</p> <div class="hide-language"> <pre class="unlimited-height-code"><code class="lang-text">{“Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Deny”, “Action”: ““, “Resource”: ““, “Condition”: { “StringNotEquals”: { “aws:ec2InstanceSourceVPC”: “${aws:SourceVpc}”, “aws:PrincipalTag/exception-to-vpc-ip”: “true” }, “Null”: { “ec2:SourceInstanceARN”: “false” }, “BoolIfExists”: { “aws:ViaAWSService”: “false” } } }, { “Effect”: “Deny”, “Action”: ““, “Resource”: ““, “Condition”: { “StringNotEquals”: { “aws:ec2InstanceSourcePrivateIPv4”: “${aws:VpcSourceIp}”, “aws:principaltag/exception-to-vpc-ip”: “true” }, “Null”: { “ec2:SourceInstanceARN”: “false” }, “BoolIfExists”: { “aws:ViaAWSService”: “false” } } } ]}
You can use exclusion logic to many attributes of your IAM functions. For instance, you can use the amazon: PrincipalArn affliction key to free certain roles based on their AWS accounts. You can also limit where you want this SCP to been applied in your AWS Organizations business. You can use SCPs right to accounts, corporate units, or corporate roots. For more information about legacy when applying SCPs in Organizations, visit Understanding plan estate.
You can also use addition reasoning to your SCP remarks at the IAM Action. The following examples speech restricts an EC2 instance’s to practice to only the example from which it was issued, except for calls to IAM by using a NotAction component. You should use this addition rationale if an AWS system doesn’t have a VPC node, or if you don’t want to use VPC devices to see a particular program.
Because these different condition codes are global situation keys, you can use the keys in all relevant AWS plan types, such as the following plan for an S3 bottle. When using this as a barrel plan, make sure to change with the ARN of your S3 bottle.
This legislation restricts access to your S3 pail to EC2 example functions that are used only from the examples to which they were vended. Like the previous policy examples, there are two deny statements in this example to form a logical” or” statement but a functional” and” statement, because a request must come from the same VPC and same IP address of the instance that it was issued to, or else it evaluates to a deny.
Conclusion
In this forum posting, you learned about the new launchedaws: ec2InstanceSourceVPC and aws: ec2InstanceSourcePrivateIPv4 status secrets. You already learned how to use them with SCPs and aid policies to restrict the usage of your EC2 example functions to the situations from which they originated when requests are made over VPC devices. Because these different condition secrets are global situation codes, you can use them in all suitable AWS insurance types. These different condition locks are available right in all Regions, as well as AWS GovCloud and China walls.
If you have questions, comments, or concerns, get AWS Support or create a new ribbon at AWS Identity and Access Management or Compute re: Post.
Please leave feedback in the Comments section here if you have any comment on this article.
<!-- '"` -->