Expected networks
With AWS Management Console Private Access, you can enforce that users access the AWS Management Console only from approved networks, such as your VPCs or on-premises data centers connected through Direct Connect or AWS Site-to-Site VPN. This prevents access from unexpected locations even when users have valid credentials.
To enforce these network controls, you use three types of policies:
-
IAM identity-based policies – Attached to identities (users, groups of users, or roles). Limit which AWS services users can access from a given network. Evaluated when the authenticated session calls AWS services.
-
Resource-based policies – Attached to specific AWS resources (such as Amazon S3 buckets and AWS KMS keys). Limit access to those resources by network. Evaluated when a session calls the resource.
-
AWS Sign-In resource-based policies (RBPs) and resource control policies (RCPs) – Limit which networks can be used to sign in to the AWS Management Console itself. Evaluated during the sign-in flow.
These policies are complementary and work together. IAM identity-based policies and resource-based policies apply to all access methods, including the AWS Management Console, AWS CLI, and SDKs, and control which resources a principal can reach after authentication. AWS Sign-In RBPs and RCPs apply only to console sign-in itself – they can prevent unauthorized sign-in attempts, but they do not restrict the resources an authenticated session can access.
Restrict service access using aws:SourceVpc
You can restrict service access by network using the aws:SourceVpc
condition key. It works in both IAM identity-based policies (attached to users,
groups of users, or roles) and resource-based policies (attached to AWS resources
such as Amazon S3 buckets or AWS KMS keys). For AWS Management Console Private Access,
aws:SourceVpc is the recommended condition key for restricting service
access by network. The following example shows an identity-based policy that denies
access to Amazon Simple Storage Service unless the request originates from your specified VPC.
How AWS Management Console Private Access works with aws:SourceVpce
This section describes the various network paths that the requests generated by
your AWS Management Console can take to AWS services. AWS service consoles use a mix of direct
browser requests and requests that are proxied by the AWS Management Console web servers to
AWS services. These implementations are subject to change without notice. If your
security requirements include access to AWS services using VPC endpoints, we
recommend that you configure VPC endpoints for all of the services that you intend to
use from VPC, whether directly from CLI/IDE or through AWS Management Console Private Access.
Furthermore, we recommend to use the aws:SourceVpc IAM condition in
your policies rather than specific aws:SourceVpce values with the
AWS Management Console Private Access feature.
After a user signs in to the AWS Management Console, they make requests to AWS services through a combination of direct browser requests and requests that are proxied by AWS Management Console web servers to AWS servers. For example, CloudWatch graph data requests are made directly from the browser. Whereas some AWS service console requests, such as Amazon S3, are proxied by the web server to Amazon S3.
For direct browser requests, using AWS Management Console Private Access does not change
anything. As before, the request reaches the service through whatever network path
the VPC has configured to reach monitoring.region.amazonaws.com. If
the VPC is configured with a VPC endpoint for
com.amazonaws.region.monitoring, the request will reach CloudWatch through
that CloudWatch VPC endpoint. If there is no VPC endpoint for CloudWatch, the request will reach
CloudWatch at its public endpoint, by way of an Internet Gateway on the VPC. Requests that
arrive at CloudWatch by way of the CloudWatch VPC endpoint will have the IAM conditions
aws:SourceVpc and aws:SourceVpce set to their respective
values. Those that reach CloudWatch through its public endpoint will have
aws:SourceIp set to the source IP address of the request. For more
information about these IAM condition keys, see Global condition keys in the IAM User Guide.
For requests that are proxied by the AWS Management Console web server, such as the request
that the Amazon S3 console makes to list your buckets when you visit the Amazon S3 console, the
network path is different. These requests aren't initiated from your VPC, but rather
from the AWS Management Console web server, and therefore don't use the Amazon S3 VPC endpoint you may
have configured. However, when you use AWS Management Console Private Access with supported
services, these requests (for example, to Amazon S3) will include the
aws:SourceVpc condition key in their request context. The
aws:SourceVpc condition key will be set to the VPC ID where your
AWS Management Console Private Access endpoints for sign-in and console are deployed. The
aws:SourceVpce condition will be set to the respective console VPC
endpoint ID.
Note
If your users require access to services that aren't supported by
AWS PrivateLink, you must include a list of your expected public network addresses
(such as your on-premises network range) using the aws:SourceIp
condition key in the users' identity-based policies.
Restrict console access using AWS Sign-In policies
AWS Sign-In resource-based policies (RBPs) apply to individual AWS accounts. Resource control policies (RCPs) apply organization-wide through AWS Organizations. Both deny console sign-in when the request does not originate from your specified IP ranges or VPCs.
To configure AWS Sign-In RBPs and RCPs, see Controlling console access with resource-based policies and resource control policies in the AWS Sign-In User Guide.