Reputation: 9076
AWS: How to secure VPC admin to a single IAM user
I have created a VPC with the bare minimum of information: the VPC name, CIDR block, and default tenancy type. I then created a policy to administer the VPC and added it to a newly created user. My plan was to then log in as that user and complete the VPC setup, including subnets, EC2 instances, RDS, routing, etc.
The problem is that when I log in the user has no authority at all. They are not authorised for any EC2 or VPC services. I can not even see the VPC that I have created. Presumably there is something wrong with my policy. Here it is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:ap-southeast-2:999999999999:vpc/vpc-99999999"
}
]
}
(Obviously that's not the real account number or VPC ID.)
Do I just need an additional permission to the IAM service? If so, what is it? Or is it more complex than that?
Upvotes: 0
Views: 368
Answers (1)
Reputation: 12876
It's not clear what permissions you exactly wish to provide. However, the following will give you a large amount of access, localized to the specific VPC you wish to administer.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
}
}
}
]
}
(Update region, account, and vpc id in the above)
Upvotes: 2
Related Questions
- How to create an IAM user with full access except for admin
- Group policy allowing single user control of an EC2 instance?
- Restrict IAM users to a single VPC
- AWS IAM Policy - Restrict VPC Tenancy
- AWS VPC: restricting user to create/delete its own VPC
- IAM policy to restrict users to instances in a specific VPC
- Using shared security group between VPC and EC2
- How can i create admin for specific aws vpc
- assign IAM user to access only one EC2 instance
- How to allow AWS user to start instances only in one VPC by ID or TAG?