req: IP Address Restriction policy enforced #11
Labels
documentation
Improvements or additions to documentation
Comments
|
IP address restriction is tricky. Assigning IAM permissions with a policy condition that grants "allows" based on source CIDR block breaks things that are executed on the users behalf by AWS on the backend. This would apply at a user policy level and relate to S3 permissions for specific bucket(s). This approach is unmanageable because the whitelist would be huge and subject to change because AWS CIDR blocks would have to be included. The other approach would put a conditional on sts:AssumeRole that the source IP address is coming from Census. The optimal approach may be to limit bucket api calls to source Census addresses from within the bucket policy that would apply to anyone accessing the bucket. |
Sign in
to join this conversation on GitHub.
IP address restrictions to what set of addresses? Is this to prevent use by public IPs? Need to make sure it doesn't break AWS-based access (via S3 endpoints, EC2, Lambda, etc.).
The text was updated successfully, but these errors were encountered: