Reputation: 9190
IAM policy to restrict users to instances in a specific VPC
I am trying to make a IAM policy to restrict user access to all the instances in a specific VPC. Following policy I made but not working.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1450441260778",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "arn:aws:ec2:region:Account_num:vpc/vpc-id"
}
]
}
I have filled the corresponding account_num and vpc-id in the policy.
Upvotes: 12
Views: 6750
Answers (2)
Reputation: 4425
There are certain permissions that cant be applied to a specific resource. These permissions will show an error when you check the policy in IAM.
In order to restrict a user to a specific VPC and allow all EC2 actions, the following policy can help you in achieving that:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:GetInstanceProfiles",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:volume/*",
"arn:aws:ec2:us-east-1::image/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:123456789012:network-interface/*",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
}
}
}
]
}
In order to understand in detail what each statements are doing, I would recommend reading this blog from AWS. This policy, allows the user to:
- Sign in to the AWS Management Console and go to the Amazon EC2 console.
- Launch an EC2 instance as long as they:
Specify a subnet in the proper VPC. Specify the allowed instance profiles.
- Start/stop/reboot/terminate/attach volume/detach volume on an instance as long as they:
Specify an instance launched with the proper instance profiles.
- Delete security groups, routes, route tables, network ACLs, and ACL entries as well as authorize and revoke security group ingress and egress rules, as long as they are in the proper VPC.
Upvotes: 2
Reputation: 1335
You want to restrict the user access and you have used the allow attribute which will give permission to access the instance . Is that the desired behavior ?
If you really want to restrict try "Effect": "Deny" in same policy .
However if you want to give access to certain users here's how you can do it .
The following below policy works for me well in that case. I use it for the developers to restrict the access to start stop the instances . You can add as many permissions as you want in the second block .
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances*",
"ec2:StopInstances*"
],
"Resource": "arn:aws:ec2:ap-southeast-1:ACCOUNT_ID:instance/i-32ds2a29"
}
]
}
ap-southeast-1 is the region for my case .
To control an instance in a specific vpc you can simply use its id .There is no separate arn for vpc+instance_id instead you can use arn:aws:ec2:region:account-id:instance/instance-id as arn refer this .
Similarly you can use the same policy to restrict the users in specific vpc by using arn:aws:ec2:region:account-id:vpc/vpc-id as arn, adding Action ec2:* and deny in effect .
Upvotes: 3
Related Questions
- AWS IAM policy to restrict access to specific ec2 instances via ec2-instance-connect
- IAM policy to allow user to launch EC2 with restrictions
- Restrict IAM users to a single VPC
- AWS IAM Policy - Restrict VPC Tenancy
- Restrict an IAM policy to run only in an specified account
- AWS IAM Policy for restricting instances by associated IAM role
- AWS Amazon IAM user Policy to access ONLY one EC2 instance on EU-WEST-1 region
- How to allow AWS user to start instances only in one VPC by ID or TAG?
- How to restrict a user to a specific instance volume in AWS using IAM policy
- AWS IAM Permissions for EC2 – Controlling Access on Specific Instances with particular region