Add support for IP address condition on session policies #137
Description
I am a diligent, security-conscious user of AWS. On my on-prem instances, I use IAM Roles Anywhere instead of long-lived credentials to reduce the risk of credential exposure.
There is still a risk that someone obtains the session credentials and uses them until they expire. I want to add an IAM Condition to my IAM policies that restricts IAM Actions to my server's IP address, as documented here. While IAM policies support this, there doesn't appear to be any way to achieve this with IAM Roles Anywhere. This is the feature request.
This could be done in a way specific to IP address condition, or more broadly to support arbitrary variables or even inline session policy like sts:AssumeRole already does. My opinion is that the specific way is best, for two reasons. First, you can add support for IP address condition without any changes to credential helper. Second, you can eliminate the additional problem of obtaining the IP address that AWS sees. For on-prem instances with multiple public IP addresses and custom IP routing tables, the best way to know which IP address AWS would see is to ask AWS itself what address it sees from the instance.
I propose solving this problem by adding a new IAM policy variable, specific to IAM Roles Anywhere, such as aws:sessionOriginIp. IAM Roles Anywhere already has all the information it needs to start populating this variable without any action required from the customer. Once IAM Roles Anywhere starts populating this variable, customers can update their IAM policies like this:
"Statement": {
"Effect": "Allow",
"Actions": [...],
"Condition": {
"IpAddress": {
"aws:SourceIp": "${aws:sessionOriginIp}"
}
}
}
(Caveat: IAM documentation says that policy variables cannot be used for IP addresses, so you'd need to get past that hurdle. I hope it's not a big hurdle.)
Lastly, the aws:SourceIp condition key supports IP addresses in CIDR format. IAM Roles Anywhere customers may want to take advantage of this, as they may be sharing session credentials with a fleet of instances on their network. To support this, you could add a parameter to credential helper that allows specifying the desired CIDR prefix size or subnet mask, with the default being /32 (host only).