Restrict AWS Console and API Access using Twingate

Hello,

I want to restrict AWS console and API access using Twingate.

Like User should be able to access the AWS resources and console only if he is connected to Twingate.

Is there any way to do it?

I tried adding IAM policy to users for allowing resource access from Twingate Connector IP, but it does not allow the services even when connected to Twingate.

I have used following IAM Policy

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "*",
			"Resource": "*"		
		},
		{
			"Effect": "Deny",
			"Action": "*",
			"Resource": "*",
			"Condition": {
				"NotIpAddress": {
					"aws:SourceIp": [
						"1.2.5.5/32"
					]
				}
			}
		}
	]
}

Thanks in Advance.

Hi @Akshay, I don’t think I personally have an example I have tested myself but I got a hold of one that I am told may work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "1.2.5.5"
                }
            }
        }
    ]
}

The thing I am a bit less clear on is whether it will gate access to the AWS Console itself (although it should work fine to block API access). I saw various opinions on that on the internet so not sure that part is doable without gating Console Access behind SSO.

Hi @Bren,

Thanks for your reply.

I tried this, it blocked access to console and API Access but when I connected to Twingate and tried accessing the Console and services it does not allowed.

@Akshay,

that might have to do with what Resources you have declared in Twingate and assigned to your users. Make sure the resources you have declared and assigned do match traffic for the API and the console: the idea being that all connections to the Console / AWS API should go through the Connector and come out of the Connector’s egress Public IP.

Hey @Bren,

I have declared *.aws.amazon.com in Twingate resources. And that IAM Policy restricted user from accessing resources from Console and API also even when Twingate is connected.

User is getting his own Public IP so I guess there might be another approach for this.

Hi @Akshay,

the public IP that Amazon / AWS sees is a function of whether the right traffic is intercepted by Twingate via Resource definitions or not. If traffic destined for a particular endpoint is covered by a Twingate Resource then the public IP AWS will see is that of the Connector. If it is not part of a Resource then Twingate ignores the traffic (we call that bypass traffic) and the public IP seen by AWS is the public IP provided by the ISP of the end user.

Make sure to figure out the endpoint(s) the AWS APIs use and to declare Twingate Resources accordingly.

For instance in this case, it sounds (from a separate thread) that you have created a resource for *.aws.amazon.com but if you were trying to send traffic for, say, the EC2 API, Twingate wouldn’t be able to intercept it because the API’s endpoint is on ec2.amazonaws.com which is not matched by the resource definition.

Which AWS API are you trying to gate?