Can you tell me if it is possible to restrict login to the AWS Management Console from IAM Identity Center?

日本語版はこちら

The issue

We are transitioning from user management in IAM to user management in IAM Identity Center.

When creating IAM users, I can choose whether to grant access to the AWS Management Console, but there was no such option when creating users in IAM Identity Center.

Can you tell me if it is possible to restrict login to the AWS Management Console from IAM Identity Center?

The solution

As of the time of writing this blog, there is no option to restrict login to the AWS Management Console when creating IAM Identity Center users.

As an alternative, you can define a policy in the permission set as follows.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:UserAgent": "aws-cli*"
        }
      }
    }
  ]
}

However, the value used in the aws:UserAgent condition key in the above policy can be set arbitrarily by the user, so it does not strictly limit access to only the AWS CLI.

AWS official documentation

This key should be used carefully. Since the aws:UserAgent value is provided by the caller in an HTTP header, unauthorized parties can use modified or custom browsers to provide any aws:UserAgent value that they choose. As a result, aws:UserAgent should not be used to prevent unauthorized parties from making direct AWS requests. You can use it to allow only specific client applications, and only after testing your policy.

References

• AWS global condition context keys - AWS Identity and Access Management