I want to restrict an API key to work only from within my Elastic Beanstalk environment. I tried to use a VPC condition, but this doesn't work, and the docs say it is not always available (so I guess not in EB).
I got it working, to a degree, by using the public IP for one my test EC2, however, this is no good going forward as EB will scale.
This is my current key policy which works with the single IP restriction:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Allow access for Key Administrators",
<snip>
},
{
"Sid": "Allow use of the key by EB user",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/<my eb user>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceIp": "<my test ec2 public ip>"
}
}
}
]
}
How can I do this? Is it actually possible to restrict by VPC or is there some other way to only allow access from within my EB environment?
I guess what you could do is create a public and private subnet for your VPC. Then add your public resources, such as the load balancer and NAT, to the public subnet. Launch your EC2 instances in the private subnet. Then add NAT IP's to your condition, like this:
"StringEquals": {
"aws:SourceIp": ["54.0.0.1", "54.0.0.2"]
}