You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. This page describes how policies work when used together with AWS Management Console Private Access.
Supported AWS global condition context
keys
AWS Management Console Private Access does not support aws:SourceVpce and
aws:VpcSourceIp AWS global condition context keys. You can use the
aws:SourceVpc IAM condition in your policies instead, when using AWS Management Console
Private Access.
How AWS Management Console Private Access works with
aws:SourceVpc
This section describes the various network paths that the requests generated by your
AWS Management Console can take to AWS services. In general, AWS service consoles are implemented
with a mix of direct browser requests and requests that are proxied by the AWS Management Console web
servers to AWS services. These implementations are subject to change without notice. If
your security requirements include access to AWS services using VPC endpoints, we
recommend that you configure VPC endpoints for all of the services that you intend to use
from VPC, whether directly or through AWS Management Console Private Access. Furthermore, you must use
the aws:SourceVpc IAM condition in your policies rather than specific
aws:SourceVpce values with the AWS Management Console Private Access feature. This section
provides details about how the different network paths work.
After a user signs in to the AWS Management Console, they make requests to AWS services through a combination of direct browser requests and requests that are proxied by AWS Management Console web servers to AWS servers. For example, CloudWatch graph data requests are made directly from the browser. Whereas some AWS service console requests, such as Amazon S3, are proxied by the web server to Amazon S3.
For direct browser requests, using AWS Management Console Private Access does not change anything. As
before, the request reaches the service through whatever network path the VPC has configured
to reach monitoring.region.amazonaws.com. If the VPC is configured with a VPC
endpoint for com.amazonaws.region.monitoring, the request will reach CloudWatch
through that CloudWatch VPC endpoint. If there is no VPC endpoint for CloudWatch, the request will reach
CloudWatch at its public endpoint, by way of an Internet Gateway on the VPC. Requests that arrive
at CloudWatch by way of the CloudWatch VPC endpoint will have the IAM conditions
aws:SourceVpc and aws:SourceVpce set to their respective values.
Those that reach CloudWatch through its public endpoint will have aws:SourceIp set to
the source IP address of the request. For more information about these IAM condition keys,
see Global condition keys in the IAM User Guide.
For requests that are proxied by the AWS Management Console web server, such as the request that the
Amazon S3 console makes to list your buckets when you visit the Amazon S3 console, the network path is
different. These requests aren't initiated from your VPC and therefore don't use the VPC
endpoint you may have configured on your VPC for that service. Even if you have a VPC
endpoint for Amazon S3 in this case, your session’s request to Amazon S3 to list the buckets doesn't
use the Amazon S3 VPC endpoint. However, when you use AWS Management Console Private Access with supported
services, these requests (for example, to Amazon S3) will include the aws:SourceVpc
condition key in their request context. The aws:SourceVpc condition key will be
set to the VPC ID where your AWS Management Console Private Access endpoints for sign-in and console are
deployed. So, if you are using aws:SourceVpc restrictions in your
identity-based policies, you must add the VPC ID of this VPC that is hosting the AWS Management Console
Private Access sign-in and console endpoints. The aws:SourceVpce condition will
be set to the respective sign-in or console VPC endpoint IDs.
Note
If your users require access to service consoles that aren't supported by AWS Management Console
Private Access, you must include a list of your expected public network addresses (such as
your on-premises network range) using the aws:SourceIP condition key in the
users' identity-based policies.
How different network paths are reflected in
CloudTrail
Different network paths used by requests generated by your AWS Management Console are reflected in your CloudTrail event history.
For direct browser requests, using AWS Management Console Private Access doesn't change anything. CloudTrail events will include details about the connection, like the VPC endpoint ID that was used to make the service API call.
For requests that are proxied by the AWS Management Console web server, CloudTrail events will not include
any VPC related details. However, initial requests to AWS Sign-In that are required to establish
the browser session, such as the AwsConsoleSignIn event type, will include the
AWS Sign-In VPC endpoint ID in the event details.
