100 Days of AWS — Day 2— Restricting users to specific AWS region
To view the complete course please enroll it using below link(its free)
https://www.101daysofdevops.com/courses/100-days-of-aws/
Welcome to Day 2 of 100 Days of AWS. The topic for today is restricting users to specific region.
AWS keep expanding there infrastructure and currently it span across 26 geographic regions
Reference: https://aws.amazon.com/about-aws/global-infrastructure/
You can get the list of AWS regions via command line
> aws ec2 describe-regions --output table---------------------------------------------------------------------------------| DescribeRegions |+-------------------------------------------------------------------------------+|| Regions |||+-----------------------------------+-----------------------+-----------------+||| Endpoint | OptInStatus | RegionName |||+-----------------------------------+-----------------------+-----------------+||| ec2.eu-north-1.amazonaws.com | opt-in-not-required | eu-north-1 |||| ec2.ap-south-1.amazonaws.com | opt-in-not-required | ap-south-1 |||| ec2.eu-west-3.amazonaws.com | opt-in-not-required | eu-west-3 |||| ec2.eu-west-2.amazonaws.com | opt-in-not-required | eu-west-2 |||| ec2.eu-west-1.amazonaws.com | opt-in-not-required | eu-west-1 |||| ec2.ap-northeast-3.amazonaws.com | opt-in-not-required | ap-northeast-3 |||| ec2.ap-northeast-2.amazonaws.com | opt-in-not-required | ap-northeast-2 |||| ec2.ap-northeast-1.amazonaws.com | opt-in-not-required | ap-northeast-1 |||| ec2.sa-east-1.amazonaws.com | opt-in-not-required | sa-east-1 |||| ec2.ca-central-1.amazonaws.com | opt-in-not-required | ca-central-1 |||| ec2.ap-southeast-1.amazonaws.com | opt-in-not-required | ap-southeast-1 |||| ec2.ap-southeast-2.amazonaws.com | opt-in-not-required | ap-southeast-2 |||| ec2.eu-central-1.amazonaws.com | opt-in-not-required | eu-central-1 |||| ec2.us-east-1.amazonaws.com | opt-in-not-required | us-east-1 |||| ec2.us-east-2.amazonaws.com | opt-in-not-required | us-east-2 |||| ec2.us-west-1.amazonaws.com | opt-in-not-required | us-west-1 |||| ec2.us-west-2.amazonaws.com | opt-in-not-required | us-west-2 |||+-----------------------------------+-----------------------+-----------------+|
- To get the list of regions for specific service like ec2
>>> import boto3
>>> ec2 = boto3.client('ec2')
>>> response = ec2.describe_regions()
>>> print('Regions:', response['Regions'])Regions: [{'Endpoint': 'ec2.eu-north-1.amazonaws.com', 'RegionName': 'eu-north-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-south-1.amazonaws.com', 'RegionName': 'ap-south-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.eu-west-3.amazonaws.com', 'RegionName': 'eu-west-3', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.eu-west-2.amazonaws.com', 'RegionName': 'eu-west-2', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.eu-west-1.amazonaws.com', 'RegionName': 'eu-west-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-northeast-3.amazonaws.com', 'RegionName': 'ap-northeast-3', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-northeast-2.amazonaws.com', 'RegionName': 'ap-northeast-2', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-northeast-1.amazonaws.com', 'RegionName': 'ap-northeast-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.sa-east-1.amazonaws.com', 'RegionName': 'sa-east-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ca-central-1.amazonaws.com', 'RegionName': 'ca-central-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-southeast-1.amazonaws.com', 'RegionName': 'ap-southeast-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-southeast-2.amazonaws.com', 'RegionName': 'ap-southeast-2', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.eu-central-1.amazonaws.com', 'RegionName': 'eu-central-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.us-east-1.amazonaws.com', 'RegionName': 'us-east-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.us-east-2.amazonaws.com', 'RegionName': 'us-east-2', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.us-west-1.amazonaws.com', 'RegionName': 'us-west-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.us-west-2.amazonaws.com', 'RegionName': 'us-west-2', 'OptInStatus': 'opt-in-not-required'}]
Now the challenge is if we are not using any specific region or we want our users to be in a specific region. The most likely case of doing this is:
- Cost: We only want our users to create resources in specific region. In this way we can track the cost of specific region and there will be no resources created in any other region.
- Reducing the blast radius: Restricting resources to specific region will help us to reduce the blast radius. As its important to detect activity in those region to improve our cloud security posture.
Now let discuss two scenario
- Deactivate unused region endpoint
- Only allow specific services in a region
Deactivate the region
- AWS provides you a functionality through which you can disable user to generate STS credentials for unused region. In order to enable that setting, go to the IAM console https://us-east-1.console.aws.amazon.com/iam/ , click on Account settings and as you can see there is an option to Deactivate.
- Let’s take second scenario where we want only EC2 and S3 services to be available in us-west-2(Oregon) and us-east-1(N Virginia). This can be achieved using Service Control Policy(SCP). For more about SCP please check the following link https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideOregonandVirginia",
"Effect": "Deny",
"NotAction": [
"ec2:*",
"s3:*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-west-2",
"us-east-1"
]
}
}
}
]
}
This can easily be automated with the help of Terraform. Here is the script https://github.com/100daysofdevops/100daysofAWS/blob/main/Day2-Allow-Access-to-Specific-Region/main.tf