Search code examples
amazon-web-servicesamazon-iampolicy

AWS policy to restrict all resources creation in one region and readonly in other regions

I am trying to create a policy in AWS for restricting users to one region for creation of resource and in other regions, they should have readonly access. I am able to restrict them to one region using below deny policy. But now the complication has come to provide users with readonly access to all location.

I am new to AWS policies and struggling with this.

The current policy I use for restricting them to one location is

{
    "Version": "2012-10-17",  
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-east-2"
                    ]
                }
            }
        }
    ]
}

Can anybody throw some light on this.

Solution

  • You will not be able to do it with using your deny policy. The reason being that AWS access management first looks for any Deny policy.

    The easiest way to accomplish this is the following:

    1. Give the user or role global read only access by attaching the AWS policy ReadOnlyAccess.
    2. Then modify you policy to grant full access to the region you want.
    {
    "Version": "2012-10-17",  
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "eu-east-2"
                    ]
                }
            }
        }
    ]
}

    A couple things to note

    1. The policy basically gives admin level privileges. If you want to provide less access use one of the AWS Managed Policy as a reference and use the Region condition on all the statements.
    2. For some global actions the region is us-east-1. Read up on that in the aws:RequestedRegion section in IAM Reference Policy Conditions You might need to add a couple extra actions to your policy to everything working correctly.