IP Whitelist AWS API Keys – IAM Policy

Why IP Whitelist AWS API Keys?

There have been many examples of AWS API Keys that were leaked online resulting in breaches and large monetary loss. Arguably, it is one of the more common mistakes made by engineers and administrators.

AWS API Keys can live in configuration files and it is easy to lose track of them. Over a period of time these files get moved, copied, backed up, and shared in many places. Eventually they leak or find themselves exposed on public repositories.

You can see many cases like the ones below
- 10000 github users inadvertently reveal their aws secret access keys
- aws-nightmare-leaked-access-keys
- Dev puts aws keys on github

So how do you protect against this common mistake.

IP Whitelist for API Keys
One way I found it effective to protect against this is to whitelist IP Addresses for API Key based authentication. To start with basics, all user accounts that access console should require two-factor authentication. You can see the instructions for that here

Assuming all users require MFA for authentication, the next step is to ensure that MFA is enabled on access key based authentication. The only option for second factor that I am aware of is IP whitelist. This will ensure that access using API keys is only granted if the request originates from a “trusted” network.

Enumerate the list of IP Addresses
 There are few exit points that you should consider
 1. Your corporate network – multiple IP ranges for different ISPs
 2. Your datacenters – multiple IP ranges for different ISPs
 3. AWS Account(s) – NAT Gateway Addresses
 4. Other Clouds – NAT Gateway Addresses

Assuming you have the list of IP addresses enumerated; the configuration is relatively simple

Create A Policy

Policy Name: IP_Whitelist_AWS_API_Keys

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Sid":"IP Whitelist AWS API Keys",
         "Effect":"Deny",
         "Action":"*",
         "Resource":"*",
         "Condition":{  
            "NotIpAddress":{  
               "aws:SourceIp":[  
                  "16.10.10.224/28",
                  "52.20.20.20/32",
                  "45.12.12.18"
               ]
            },
            "BoolIfExists":{  
               "aws:MultiFactorAuthPresent":"false"
            }
         }
      },
      {  
         "Effect":"Allow",
         "Action":"*",
         "Resource":"*"
      }
   ]
}

Create a Group – Whiltelisted_Accounts
– Attach policy custom_policy_whitelist_ip_mfa to the group

Add Users to Group
– Select group Whitelisted_Accounts
– Select Users
– Add Users to Group