100 Days of AWS — Day 2— Restricting users to specific AWS region

Prashant Lakhera
4 min readApr 5, 2022

--

To view the complete course please enroll it using below link(its free)

https://www.101daysofdevops.com/courses/100-days-of-aws/

Welcome to Day 2 of 100 Days of AWS. The topic for today is restricting users to specific region.

AWS keep expanding there infrastructure and currently it span across 26 geographic regions

Reference: https://aws.amazon.com/about-aws/global-infrastructure/

You can get the list of AWS regions via command line

> aws ec2 describe-regions --output table---------------------------------------------------------------------------------|                                DescribeRegions                                |+-------------------------------------------------------------------------------+||                                   Regions                                   |||+-----------------------------------+-----------------------+-----------------+|||             Endpoint              |      OptInStatus      |   RegionName    |||+-----------------------------------+-----------------------+-----------------+|||  ec2.eu-north-1.amazonaws.com     |  opt-in-not-required  |  eu-north-1     ||||  ec2.ap-south-1.amazonaws.com     |  opt-in-not-required  |  ap-south-1     ||||  ec2.eu-west-3.amazonaws.com      |  opt-in-not-required  |  eu-west-3      ||||  ec2.eu-west-2.amazonaws.com      |  opt-in-not-required  |  eu-west-2      ||||  ec2.eu-west-1.amazonaws.com      |  opt-in-not-required  |  eu-west-1      ||||  ec2.ap-northeast-3.amazonaws.com |  opt-in-not-required  |  ap-northeast-3 ||||  ec2.ap-northeast-2.amazonaws.com |  opt-in-not-required  |  ap-northeast-2 ||||  ec2.ap-northeast-1.amazonaws.com |  opt-in-not-required  |  ap-northeast-1 ||||  ec2.sa-east-1.amazonaws.com      |  opt-in-not-required  |  sa-east-1      ||||  ec2.ca-central-1.amazonaws.com   |  opt-in-not-required  |  ca-central-1   ||||  ec2.ap-southeast-1.amazonaws.com |  opt-in-not-required  |  ap-southeast-1 ||||  ec2.ap-southeast-2.amazonaws.com |  opt-in-not-required  |  ap-southeast-2 ||||  ec2.eu-central-1.amazonaws.com   |  opt-in-not-required  |  eu-central-1   ||||  ec2.us-east-1.amazonaws.com      |  opt-in-not-required  |  us-east-1      ||||  ec2.us-east-2.amazonaws.com      |  opt-in-not-required  |  us-east-2      ||||  ec2.us-west-1.amazonaws.com      |  opt-in-not-required  |  us-west-1      ||||  ec2.us-west-2.amazonaws.com      |  opt-in-not-required  |  us-west-2      |||+-----------------------------------+-----------------------+-----------------+|
  • To get the list of regions for specific service like ec2
>>> import boto3
>>> ec2 = boto3.client('ec2')
>>> response = ec2.describe_regions()
>>> print('Regions:', response['Regions'])
Regions: [{'Endpoint': 'ec2.eu-north-1.amazonaws.com', 'RegionName': 'eu-north-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-south-1.amazonaws.com', 'RegionName': 'ap-south-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.eu-west-3.amazonaws.com', 'RegionName': 'eu-west-3', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.eu-west-2.amazonaws.com', 'RegionName': 'eu-west-2', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.eu-west-1.amazonaws.com', 'RegionName': 'eu-west-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-northeast-3.amazonaws.com', 'RegionName': 'ap-northeast-3', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-northeast-2.amazonaws.com', 'RegionName': 'ap-northeast-2', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-northeast-1.amazonaws.com', 'RegionName': 'ap-northeast-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.sa-east-1.amazonaws.com', 'RegionName': 'sa-east-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ca-central-1.amazonaws.com', 'RegionName': 'ca-central-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-southeast-1.amazonaws.com', 'RegionName': 'ap-southeast-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.ap-southeast-2.amazonaws.com', 'RegionName': 'ap-southeast-2', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.eu-central-1.amazonaws.com', 'RegionName': 'eu-central-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.us-east-1.amazonaws.com', 'RegionName': 'us-east-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.us-east-2.amazonaws.com', 'RegionName': 'us-east-2', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.us-west-1.amazonaws.com', 'RegionName': 'us-west-1', 'OptInStatus': 'opt-in-not-required'}, {'Endpoint': 'ec2.us-west-2.amazonaws.com', 'RegionName': 'us-west-2', 'OptInStatus': 'opt-in-not-required'}]

Now the challenge is if we are not using any specific region or we want our users to be in a specific region. The most likely case of doing this is:

  • Cost: We only want our users to create resources in specific region. In this way we can track the cost of specific region and there will be no resources created in any other region.
  • Reducing the blast radius: Restricting resources to specific region will help us to reduce the blast radius. As its important to detect activity in those region to improve our cloud security posture.

Now let discuss two scenario

  • Deactivate unused region endpoint
  • Only allow specific services in a region

Deactivate the region

  • AWS provides you a functionality through which you can disable user to generate STS credentials for unused region. In order to enable that setting, go to the IAM console https://us-east-1.console.aws.amazon.com/iam/ , click on Account settings and as you can see there is an option to Deactivate.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideOregonandVirginia",
"Effect": "Deny",
"NotAction": [
"ec2:*",
"s3:*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-west-2",
"us-east-1"
]
}
}
}
]
}

This can easily be automated with the help of Terraform. Here is the script https://github.com/100daysofdevops/100daysofAWS/blob/main/Day2-Allow-Access-to-Specific-Region/main.tf

--

--

Prashant Lakhera
Prashant Lakhera

Written by Prashant Lakhera

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP

Responses (1)