Limit access to stream Amazon AppStream 2.0 applications to your IP ranges

Amazon AppStream 2.0 lets you stream desktop applications to your users on their device of choice. One common use case for this is providing administrators access to production servers in a controlled manner. When you have sensitive information available through AppStream 2.0, you can ensure that users access it only through your IP ranges. While you can enforce the source IP restriction through your SAML identity provider, applying it to the IAM role adds another layer of security. This ensures that your users are streaming their applications from approved offices or devices. This post shows you how to enable source IP-based restrictions to access your AppStream 2.0 resources.

To set IP-based restrictions, you must have SAML-based authentication into your AppStream 2.0 stack.

For more information about getting this set up in your account, see:

• Single Sign-on Access to AppStream 2.0 Using SAML 2.0
• Setting Up SAML

For information about using AWS Single Sign-On (AWS SSO) to provide access to your users, see Enable federation with AWS Single Sign-On and Amazon AppStream 2.0.

The source IP-based filter is configured through an IAM Policy associated to the IAM role that a user uses for the SAML 2.0 federation. One option is to create the source IP-based filter policy as an inline policy on the IAM role.

To access the inline policy:

1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Roles.
3. Choose the link on the role name that you use for SAML 2.0 federation.
4. On the Permissions tab of the role summary, you see your inline policy. Choose the arrow to the left of the policy name to expand it, and select Edit Policy.

Your policy should look similar to the following example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "appstream:Stream",
      "Resource": "arn:aws:appstream:<REGION-CODE>:<ACCOUNT-ID-WITHOUT-HYPHENS>:stack/<STACK-NAME>",
      "Condition": {
          "StringEquals": {
              "appstream:userId": "${saml:sub}",
              "saml:sub_type": "persistent"
          }
        }
    }
  ]
}

We add a section to this policy to block traffic from everywhere, except the listed IP CIDR range. In this example, it would only allow traffic from a source IP address of 1.2.3.4. Be sure to replace text within the < > with your information.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "appstream:Stream",
            "Resource": "arn:aws:appstream:<REGION-CODE>:<ACCOUNT-ID-WITHOUT-HYPHENS>:stack/<STACK-NAME>",
            "Condition": {
                "StringEquals": {
                    "appstream:userId": "${saml:sub}"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                     "aws:SourceIp": "<1.2.3.4/32>"
                }
            }
        }
    ]
}

Review and save the changes. Now the IAM role that your users use to stream from the AppStream 2.0 stack is available only from the specified CIDR ranges specified. When a user attempts to access the stack from an IP not listed within the CIDR range, they receive the error: Unable to authorize the session. (Error Code: INVALID_AUTH_POLICY);Status Code:401.

And, that’s it. You’ve now limited access to stream Amazon AppStream 2.0 applications to your IP ranges.