Restrict wideopen security group rule access through IAM Policy

2
votes

Overview: Users will be logging into windows EC2 instance directly from their source ip and the source ip tends to change often.

Current State: We have provided IAM users access to modify/create/delete security groups.

Need: Users have an option to add wide open security group rules, which expose unnecessary vulnerabilities. Is there a way to restrict users adding wide open inbound access(0.0.0.0) to security group rules/restrict them to add only their source ip to the inbound access rule of the security group?

My initial Findings: I checked the IAM docs, I didn't find any way to achieve this. Is there any better workaround to achieve this rather than getting alert/notification after they have added a wide open security group rule?

1
amazon-web-servicesamazon-iamaws-security-group
If I were you, I would set up a Client VPN. Users need to connect to the VPN first before logging into the EC2 instance. The SG only needs to rule to allow IP of the VPN.jellycsc
If you don't want to set up a VPN, you might be able to allow them connect to the EC2 instances via AWS Systems Manager Session Managerjellycsc
I don't think it's possible to do this with an IAM policy. I would not give the users any IAM permissions at all, and instead provide a custom API via API Gateway + Lambda that updates the security groups, which would give you full control over what they can do.Mark B

1 Answers

0
votes

Unfortunately you've combined two separate things: who can configure security groups (which is managed by IAM permissions), and how security groups are configured (which is up to EC2). You can't do what you've asked for in IAM alone.

This example on the AWS blog shows how you can use Systems Manager to remediate security groups automatically. It's possible that AWS Firewall Manager can help too, but I haven't used it myself.