Skip to content

Instantly share code, notes, and snippets.

@RajChowdhury240

RajChowdhury240/done.md

Created February 3, 2026 16:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save RajChowdhury240/b1b3749a544ab18f146f9bd39779b29c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save RajChowdhury240/b1b3749a544ab18f146f9bd39779b29c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
done.md

To restrict the ec2:ImportImage action in a corporate network using an IAM policy. This is an AWS security question about preventing users from importing custom images (which could contain malware, backdoors, or unauthorized software) into the corporate AWS environment.

  1. Deny the action - Use Deny effect to block ec2:ImportImage

  2. Conditions - Could add conditions like:

    • Source IP restrictions (corporate network CIDR)
    • VPC endpoint conditions
    • Tag-based restrictions
    • Resource-based restrictions

  3. Where to apply:

    • SCP (Service Control Policy) at the organization level (most effective)
    • IAM policy attached to users/roles/groups
    • Permission boundaries The most effective approach for a corporate network would be to:
  • Use an SCP to deny the action entirely at the organization level
  • Or use IAM conditions to restrict based on source IP (corporate network CIDR ranges)
  • Or restrict to specific VPC endpoints Let me provide a comprehensive answer with practical examples. To restrict ec2:ImportImage in a corporate network, use Service Control Policies (SCPs) at the organization level or IAM policies with source IP conditions. Option 1: SCP (Organization-Wide Deny) - Recommended Apply this to the OU/account to block the action entirely: { Version: 2012-10-17, Statement: [ { Sid: DenyImportImage, Effect: Deny, Action: [ ec2:ImportImage, ec2:ImportSnapshot ], Resource: * } ] } Option 2: IAM Policy with Corporate IP Restriction Allow only from corporate network CIDRs: { Version: 2012-10-17, Statement: [ { Sid: BlockImportImageOutsideCorp, Effect: Deny, Action: [ ec2:ImportImage, ec2:ImportSnapshot ], Resource: *, Condition: { NotIpAddress: { aws:SourceIp: [ 203.0.113.0/24, 198.51.100.0/22 ] }, Bool: { aws:ViaAWSService: false } } } ] } Option 3: VPC Endpoint Restriction If using VPC endpoints, restrict to specific endpoints: { Effect: Deny, Action: ec2:ImportImage, Resource: *, Condition: { StringNotEquals: { aws:VpcSourceIp: [ 10.0.0.0/8, 172.16.0.0/12 ] } } }

Key Considerations

  • SCPs are the most effective — they apply regardless of identity permissions
  • ImportImage can import malware/backdoors — treat it as high-risk
  • Also block ec2:ImportSnapshot (can be converted to AMI)
  • Add tag-based exceptions if specific teams need access: { Effect: Allow, Action: ec2:ImportImage, Resource: *, Condition: { StringEquals: { aws:PrincipalTag/ImportAllowed: true } } }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment