AWS Identity and Access Management (IAM) introduces a new control for requests that AWS services make on your behalf
Today AWS Identity and Access Management (IAM) enabled you to control access for requests made on your behalf by AWS services. For example, using the new control, you can now grant your IAM principals the ability to launch Amazon Elastic Compute Cloud (EC2) instances, but only through AWS CloudFormation, without granting direct access to EC2.
With this launch we are introducing a new condition to define rules for the initial call made to AWS by your principals, without impacting the additional calls the service makes. For example, you can require all initial calls to AWS come from inside your Virtual Private Cloud (VPC) or your private IP subnet, but not impose the same rule for downstream requests to other services.
The new condition, aws:CalledVia, is available for use with all services that make requests using your credentials. To get started using the new condition, visit Global Condition Keys in the AWS documentation.