CODEWITHSUNDEEP
amazon-web-servicesamazon-ec2amazon-iam
Shailesh Sutar
Shailesh Sutar

Reputation: 399

Aws IAM user permission to specific region and to a particular server

I want to setup permissions for newly created IAM user so that the user will be able to access only particular ec2 instance in a given region.

For instance. I have 3 ec2 instances running in aws us-east i.e N. Virginia I want restrict user for rebooting, starting and stopping to only 1 ec2 server

I wrote a policy like below but its not working. I am not sure what i am missing here.

{

"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "TheseActionsSupportResourceLevelPermissions",
        "Effect": "Allow",
        "Action": [
            "ec2:StopInstances",
            "ec2:StartInstances",
            "ec2:RebootInstances",
            "ec2:Describe*"
        ],
        "Resource": "arn:aws:ec2:us-east-1:accountid:instance/i-d4f1b83a"
    }
]

}

Thanks for your Help in advance.

Upvotes: 0

Views: 3772

Answers (2)

Shailesh Sutar
Shailesh Sutar

Reputation: 399

I did something like this which helped me. But still All the resources are visible to that IAM user which i actually don't want. Any further answers would be a great help.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": "arn:aws:ec2:us-west-1:accountid:instance/instance-id",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "Test"
                }
            }
        }
    ]
}

Upvotes: 0

John Rotenstein
John Rotenstein

Reputation: 270144

Your policy works. I tested it and successfully used it to start only specific instances.

Some things to note:

  • In your Resource section, be sure to substitute accountid for your own 12-digit Account ID (available in your Billing/Account page)
  • IAM only supports a limited number of resource-specific API calls. Stop, Start and Reboot are included, but the Describe calls are not resource-specific.

IAM policies can be tested via the Simulate Policy link next to a policy definition, which links to the Policy Simulator. This is a great tool for debugging permission issues.

Upvotes: 2

Related Questions