Get to Grips with AWS IAM Roles: Terms, Concepts, and Examples
AWS IAM roles are an essential part of managing access to AWS resources securely. IAM roles allow you to define a set of permissions for making AWS service requests without having to provide permanent credentials like passwords or access keys. Instea...
blog.awsfundamentals.com22 min read
The explanation provided for example policy B is incorrect:
The AWS IAM policy denies all actions for requests originating from IP addresses outside the specified ranges. Here's a breakdown:
"Version": "2012-10-17": Indicates the IAM policy language version being used.
"Statement": Contains one statement defining the permissions.
"Sid": "DenyIPRange": A unique identifier for the statement, usually used for reference purposes.
"Action": "": Specifies that this policy applies to all actions. The asterisk () is a wildcard that represents any action.
"Effect": "Deny": Denies the actions specified in the policy.
"Resource": "*": Indicates that this policy applies to all AWS resources.
"Condition": Specifies conditions under which the policy applies. In this case, it checks the source IP address of the request.
"NotIpAddress": Indicates that the condition checks for IP addresses that are not within the specified ranges.
"aws:SourceIp": ["192.0.2.0/24", "203.0.113.0/24"]: Specifies the IP address ranges allowed to perform actions. Requests originating from IP addresses outside these ranges will be denied.
So, this policy essentially allows actions only if the request originates from an IP address within the specified ranges (192.0.2.0/24 and 203.0.113.0/24). All other IP addresses will be denied access to perform any actions on AWS resources.