$ ocm get /api/clusters_mgmt/v1/trusted_ip_addresses
You can implement an additional layer of security in your AWS account to prevent role assumption from non-allowlisted IP addresses.
You can create an identity-based Identity and Access Management (IAM) policy that denies access to all AWS actions when the request originates from an IP address other than Red Hat provided IPs.
You have access to the see AWS Management Console with the permissions required to create and modify IAM policies.
Sign in to the AWS Management Console using your AWS account credentials.
Navigate to the IAM service.
In the IAM console, select Policies from the left navigation menu.
Click Create policy.
Select the JSON tab to define the policy using JSON format.
To get the IP addresses that you need to enter into the JSON policy document, run the following command:
$ ocm get /api/clusters_mgmt/v1/trusted_ip_addresses
These IP addresses are not permanent and are subject to change. You must continuously review the API output and make the necessary updates in the JSON policy document. |
Copy and paste the following policy_document.json
file into the editor:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": []
},
"Bool": {
"aws:ViaAWSservice": "false"
}
}
}
]
}
Copy and paste all of the IP addresses, which you got in Step 6, into the "aws:SourceIp": []
array in your policy_document.json
file.
Click Review and create.
Provide a name and description for the policy, and review the details for accuracy.
Click Create policy to save the policy.
The condition key |
Once you have created an identity-based IAM policy, attach it to the relevant IAM users, groups, or roles in your AWS account to prevent IP-based role assumption for those entities.
Navigate to the IAM console in the AWS Management Console.
Select the default IAM ManagedOpenShift-Support-Role
role to which you want to attach the policy.
You can change the default IAM |
In the Permissions tab, select Add Permissions or Create inline policy from the Add Permissions drop-down list.
Search for the policy you created earlier by:
Entering the policy name.
Filtering by the appropriate category.
Select the policy and click Attach policy.
To ensure effective IP-based role assumption prevention, you must keep the allowlisted IPs up to date. Failure to do so may result in Red Hat site reliability engineering (SRE) being unable to access your account and affect your SLA. If you have further questions or require assistance, please reach out to our support team. |
For more information about denying access based on the source IP, see AWS: Denies access to AWS based on the source IP in the AWS documentation.