CODEWITHSUNDEEP
amazon-ec2amazon-iam
user3046913
user3046913

Reputation: 93

IAM Policy for AWS EC2 start/stop instance

I want a user to be able to login to an aws account and start and stop ONE specific ec2-instance. So far I found out that ec2 describe only works with a catch -all star "*" in the resources. The user can login, sees all the instances BUT he can't start or stop the instance because a permission denied error shows up :(

This is my policy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:eu-central-1a:MY_ACCOUNT_ID:instance/MY_INSTANCE_ID"
}
]
}

Upvotes: 5

Views: 13678

Answers (2)

Zubair Ahmed
Zubair Ahmed

Reputation: 49

Let me provide a working example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": [
                "arn:aws:ec2:ap-south-1:222222222222:instance/i-02222222222222ddb",
                "arn:aws:ec2:ap-south-1:222222222222:security-group/sg-022222222abc"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "my.dev-server.com"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups",
                "ec2:ModifySecurityGroupRules",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        }
    ]
}

I found this link also useful in understanding this answer.

Upvotes: 2

mickzer
mickzer

Reputation: 6338

The answer is, you can't.

The ec2:Stopinstances, ec2:StartInstances and ec2:TerminateInstances do indeed support resource level permissions, but not for the condition key of instance id. They support the condition keys:

  • ec2:AvailabilityZone
  • ec2:EbsOptimized
  • ec2:InstanceProfile
  • ec2:InstanceType
  • ec2:PlacementGroup
  • ec2:Region
  • ec2:ResourceTag/tag-key
  • ec2:RootDeviceType
  • ec2:Tenancy

This is highlighted in the documentation here. (Search for the API calls on the page)

The only potentially useful condition key is ec2:ResourceTag/tag-key. You could add a resource tag on the particular instance and allow the user permission to call these 3 API calls on instances with that tag.

However, unless you had the API calls related to tags denied, there would be nothing to stop the user adding the tag to another instance, and performing the API calls on that instance too. You'd need to establish if denying tagging suits your situation.

Hope this helps.

Upvotes: 6

Related Questions