If you want to restrict access to instances or load balancers on EC2 to specific IP bands, you can use Security Groups or ACLs. However, if you want to restrict access to other APIs provided by AWS based on IP, you cannot use Security Groups or ACLs.
For example, let’s say you want to restrict APIs that access the Parameter Store in AWS System Manager and read data based on IP. First, let’s check the default policy for the Parameter Store. You can find it by going to “AWS IAM -> Policies”.
There is a policy called AmazonSSMReadOnlyAccess. The policy details are as follows
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:Describe*",
"ssm:Get*",
"ssm:List*"
],
"Resource": "*"
}
]
}
We only need to add an IP-based condition here. Once you have copied the detailed JSON value of the default policy AmazonSSMReadOnlyAccess, let’s create a new policy.
Go to “AWS IAM -> Policies -> Create Policy” and you will be presented with a visual editor and a JSON input field to create a policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:Describe*",
"ssm:Get*",
"ssm:List*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"{IP_ADDRESS_TO_ALLOW}"
]
}
}
}
]
}
The difference compared to the default condition we first saw is the addition of the “Condition” part. {IP_ADDRESS_TO_ALLOW} part with the IPs you want to allow as appropriate. However, if you are requesting AWS APIs, you should not set a private IP band because in most cases the SOURCE IP will be taken as an external IP.
If you set up a policy in this way and apply it to a specific account, the account will only be able to access the IP band that you set up. In the example, we used “Allow”, but if you replace “Allow” with “Deny” and “IpAddress” with “NotIpAddress”, it will work the same way. If Allow and Deny exist for the same resource and action in an IAM policy, Deny will take precedence.