Reputation: 53
Restrict EC2 permissions for an IAM user to use an AMI
I am the root owner of an AWS account with a couple of private AMIs and volumes. I would like IAM users that are a part of my account to not have access to these, but still be able to create their own AMIs, snapshots and volumes. I could not figure out how to do this via the web interface. I would love some help to do so!
Upvotes: 0
Views: 671
Answers (1)
Reputation: 269091
There are two basic approaches to doing this.
Restrict the Allow
To start with, users have no permissions to do anything. You then grant permissions for what they can do.
When you grant them permission to RunInstances, you can specify that they cannot use the AMI (via NotResource):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny running an instance",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"NotResource": [
"arn:aws:ec2:us-east-1::image/ami-abcd1234"
]
}
]
}
Add a Deny
Alternatively, you could grant them permissions as you currently do but then Deny them access to the AMI. A Deny always overrides an Allow:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny running an instance",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1::image/ami-abcd1234"
]
}
]
}
Upvotes: 3
Related Questions
- AWS: How to give an IAM user access to an EC2 instance
- How can I restrict AWS AMI usage by owner in an IAM policy?
- Hide EC2 Instances from other IAM users
- AWS IAM: How to restrict PowerUser permissions
- How to Restrict AWS AMI access to certain user?
- How to deny other users/roles from creating EC2 instances with an IAM role
- How to restrict AMI user to see EC2 instance on AWS
- AWS IAM User Permission for a specific EC2 server not working
- assign IAM user to access only one EC2 instance
- Permission to not allow IAM USER instance to create new instance