27

We run a number of AWS services in the eu-west-1 region. Unfortunately it seems that a lot of our developers and other employees who need to create temporary resources forget about this aspect of AWS and don't select this region before launching EC2 instances, creating S3 buckets, etc. As a result they often end up in the us-east-1 region since that appears to be the default that AWS always uses.

Is there any way through IAM (or some other way) to restrict user accounts to only launch/create things within a specific region?

Bruce P
  • 2,163
  • 3
  • 16
  • 21

9 Answers9

25

Unfortunately you can't do this globally. However, for each AWS product that supports it, you typically can limit access to a certain region.

For instance, for EC2, you can do the following:

{
  "Statement":[{
    "Effect":"allow",
    "Action":"RunInstances",
    "Resource":"*",
    "Condition":{
      "StringEquals":{
        "ec2:Region":"us-west-1"
        }
      }
    }
  ]
}

Of course, you'd need to issue a deny rule as well where appropriate.

Here's the documentation for the above.

EEAA
  • 108,414
  • 18
  • 172
  • 242
17

Use something like this. This example restricts access to two AWS regions. Modify as needed.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
      "StringNotEquals": {
        "aws:RequestedRegion": [
          "eu-central-1",
          "eu-west-1"
        ]
      }
    }
  }]
}
sandstrom
  • 498
  • 5
  • 11
  • 4
    WIth the new `aws:RequestedRegion`, this is the answer that is now most relevant – chizou Sep 08 '18 at 21:23
  • 2
    Thank you, with this policy you can use the default AWS available policies and only attach this one inline and you effectively restrict any services. – lkraider Feb 05 '19 at 23:23
9

Since April 25th 2018, AWS has a global resource aws:RequestedRegion you can use to limit the regions a user can send requests to. This is independent of the service being regional or not, so you can apply it to all services.

AWS Security Blog

Unfortunately you can't use this in an organization's Service Control Policy to apply it to an account globally, and you must attach the policy to every single principal and audit that this is so, if you want to lock an account to certain regions.

Tim
  • 30,383
  • 6
  • 47
  • 77
jaferrando
  • 91
  • 1
  • 1
  • you can now use aws:RequestedRegion for Service Control Policies. For example: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-scp-deny-region – Blueriver Mar 26 '20 at 15:38
4

Accepted answer on this thread gave Syntax Error on Policy. Below worked for me:

{
"Statement": [
    {
        "Sid": "Stmt1375943389569",
        "Action": "ec2:*",
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:Region": "eu-central-1"
            }
        }
    }
]

}

PUG
  • 139
  • 4
3

If you ask only for EC2 actions, then yes, you can limit it as mentioned in other responses. If it's other services, I am not sure you can do it... e.g. AWS Lambda does not seem to have a lambda:region you can add to a condition.

nanodgb
  • 31
  • 2
0

From the FAQ for AWS IAM:

Q: Can users be defined regionally? Not initially. Users are global entities, like an AWS Account is today. No region is required to be specified when defining user permissions. users are able to use AWS services in any geographic region.

mtak
  • 561
  • 4
  • 11
  • 3
    Wow. What a poorly written answer from Amazon. "Not initially." Does that imply that it can be done after the account is created? Does that mean AWS couldn't when it was first launched but it can now? "No region is required to be specified when defining user permissions." I didn't ask if it was required. I asked if it was possible to do so. "users are able to use AWS services in any geographic region." Apparently not any more based on what EEAA posted above. The "condition" statement in IAM lets you restrict some services by region. Thanks just the same. – Bruce P Apr 15 '14 at 18:05
  • 1
    @BruceP - it's not a poor answer. It's perfectly fine. **Users** are global. **User privileges** can be restricted. – EEAA Apr 16 '14 at 00:06
0

I found this to work better (allows launching/stopping/terminating/etc.) to grant full EC2 access for a user to only one region - every other region shows error during any attempted access.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-1"
                }
            }
        }
    ]
}
Al Joslin
  • 101
0

This one works for me, I tried to create policy with the json mentioned as a accepted answer but it does not work for me.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "ec2:*",
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:Region": [
                    "us-east-1"
                ]
            }
        }
    }]
}
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Pranav Kumar
  • 101
  • 1
0

That's the current solution - using "eu-west-1":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect"    : "Allow",
            "Action"    : "*",
            "Resource"  : "*",
            "Condition": 
            {
                "StringEquals": {
                    "aws:RequestedRegion": "eu-west-1"
                }
            }
        }
    ]
}
Xtigyro
  • 141
  • 1
  • 6