I want to follow best practices by limiting the ability of users to take certain actions and by restricting access to specific IP addresses of a physical office location or VPN connection. However, I also want to allow these users to use the Switch Role feature of the AWS Management Console.

The Switch Role feature in the AWS Management Console allows you to assume roles, both for your account and for cross-account access. Because the request to switch roles is issued from the IP address of the AWS Management Console—which is not one of the allowed source IP addresses—the feature is blocked by source IP restrictions in the user policy.

For example, consider the following user policy, which explicitly denies access to all actions and resources from any IP address that is not included in the SourceIp specification:

{

    "Version": "2012-10-17",

    "Statement": [

         {

             "Effect": "Deny",

             "Action": "*",

             "Resource": "*",

             "Condition": {

                "NotIpAddress": {

                    "aws:SourceIp": [

                         "123.123.123.123/24"

                    ]

                }

            }

        }

    ]

}

And the following AssumeRole policy, which allows a user to assume the role RoleA in the account 12345678901:

{

  "Version": "2012-10-17",

  "Statement": {

    "Effect": "Allow",

    "Action": "sts:AssumeRole",

    "Resource": "arn:aws:iam::12345678901:role/RoleA"

   }

}

The user cannot assume RoleA because the AssumeRole action would be initiated from an IP address external to the range specified in the SourceIp range of the user policy.

To resolve this issue, you can include a NotAction statement in the first policy to exclude the AssumeRole action from the SourceIp restriction:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotAction": "sts:AssumeRole",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                     "aws:SourceIp": [
                         "123.123.123.123/24"
                     ]
                }
             }
         }
     ]
}

This change grants the user access to the Switch Role function from the console while maintaining the SourceIP limitation for all other actions.

AWS Identity and Access Management, AssumeRole, SwitchRole, policy, NotAction


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-05-16