Implementing identity-based policies and other policy types - AWS Management Console
Supported AWS global condition context keysHow AWS Management Console Private Access works with aws:SourceVpcHow different network paths are reflected in CloudTrail

Implementing identity-based policies and other policy types

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. This page describes how policies work when used together with AWS Management Console Private Access.

Supported AWS global condition context keys

AWS Management Console Private Access does not support aws:SourceVpce and aws:VpcSourceIp AWS global condition context keys. You can use the aws:SourceVpc IAM condition in your policies instead, when using AWS Management Console Private Access.

How AWS Management Console Private Access works with aws:SourceVpc

This section describes the various network paths that the requests generated by your AWS Management Console can take to AWS services. In general, AWS service consoles are implemented with a mix of direct browser requests and requests that are proxied by the AWS Management Console web servers to AWS services. These implementations are subject to change without notice. If your security requirements include access to AWS services using VPC endpoints, we recommend that you configure VPC endpoints for all of the services that you intend to use from VPC, whether directly or through AWS Management Console Private Access. Furthermore, you must use the aws:SourceVpc IAM condition in your policies rather than specific aws:SourceVpce values with the AWS Management Console Private Access feature. This section provides details about how the different network paths work.

After a user signs in to the AWS Management Console, they make requests to AWS services through a combination of direct browser requests and requests that are proxied by AWS Management Console web servers to AWS servers. For example, CloudWatch graph data requests are made directly from the browser. Whereas some AWS service console requests, such as Amazon S3, are proxied by the web server to Amazon S3.

For direct browser requests, using AWS Management Console Private Access does not change anything. As before, the request reaches the service through whatever network path the VPC has configured to reach monitoring.region.amazonaws.com. If the VPC is configured with a VPC endpoint for com.amazonaws.region.monitoring, the request will reach CloudWatch through that CloudWatch VPC endpoint. If there is no VPC endpoint for CloudWatch, the request will reach CloudWatch at its public endpoint, by way of an Internet Gateway on the VPC. Requests that arrive at CloudWatch by way of the CloudWatch VPC endpoint will have the IAM conditions aws:SourceVpc and aws:SourceVpce set to their respective values. Those that reach CloudWatch through its public endpoint will have aws:SourceIp set to the source IP address of the request. For more information about these IAM condition keys, see Global condition keys in the IAM User Guide.

For requests that are proxied by the AWS Management Console web server, such as the request that the Amazon S3 console makes to list your buckets when you visit the Amazon S3 console, the network path is different. These requests aren't initiated from your VPC and therefore don't use the VPC endpoint you may have configured on your VPC for that service. Even if you have a VPC endpoint for Amazon S3 in this case, your session’s request to Amazon S3 to list the buckets doesn't use the Amazon S3 VPC endpoint. However, when you use AWS Management Console Private Access with supported services, these requests (for example, to Amazon S3) will include the aws:SourceVpc condition key in their request context. The aws:SourceVpc condition key will be set to the VPC ID where your AWS Management Console Private Access endpoints for sign-in and console are deployed. So, if you are using aws:SourceVpc restrictions in your identity-based policies, you must add the VPC ID of this VPC that is hosting the AWS Management Console Private Access sign-in and console endpoints. The aws:SourceVpce condition will be set to the respective sign-in or console VPC endpoint IDs.

Note

If your users require access to service consoles that aren't supported by AWS Management Console Private Access, you must include a list of your expected public network addresses (such as your on-premises network range) using the aws:SourceIP condition key in the users' identity-based policies.

How different network paths are reflected in CloudTrail

Different network paths used by requests generated by your AWS Management Console are reflected in your CloudTrail event history.

For direct browser requests, using AWS Management Console Private Access doesn't change anything. CloudTrail events will include details about the connection, like the VPC endpoint ID that was used to make the service API call.

For requests that are proxied by the AWS Management Console web server, CloudTrail events will not include any VPC related details. However, initial requests to AWS Sign-In that are required to establish the browser session, such as the AwsConsoleSignIn event type, will include the AWS Sign-In VPC endpoint ID in the event details.