Ahmed Hamdy
Reputation: 23
Limiting Instance Type and Request Region in AWS
I have this case that I want to limit the creation of EC2 Instances to the following conditions:
- Instance Type:
"*.nano", "*.small", "*.micro", "*.medium", "*.large" - Region when EC2 is created:
eu-central-1
I created the following EC2 Policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:CreateDhcpOptions",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ModifyVolumeAttribute",
"ec2:ReplaceRouteTableAssociation",
"ec2:DeleteVpcEndpoints",
"ec2:CreateKeyPair",
"ec2:ResetInstanceAttribute",
"ec2:AttachInternetGateway",
"ec2:ReportInstanceStatus",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:DeleteRouteTable",
"ec2:ModifySpotFleetRequest",
"ec2:ModifySnapshotAttribute",
"ec2:DeleteVpnGateway",
"ec2:CreateNetworkInterfacePermission",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:UnassignPrivateIpAddresses",
"ec2:CreateReservedInstancesListing",
"ec2:CancelExportTask",
"ec2:BundleInstance",
"ec2:ImportKeyPair",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:AssignPrivateIpAddresses",
"ec2:DisassociateRouteTable",
"ec2:CreateVolume",
"ec2:ReplaceNetworkAclAssociation",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CancelSpotInstanceRequests",
"ec2:DetachVpnGateway",
"ec2:CreateDefaultVpc",
"ec2:DeleteDhcpOptions",
"ec2:DeleteNatGateway",
"ec2:CreateSubnet",
"ec2:ModifyVpcEndpoint",
"ec2:DeleteNetworkAclEntry",
"ec2:CreateVpnConnection",
"ec2:DeleteSpotDatafeedSubscription",
"ec2:DisassociateAddress",
"ec2:ModifyVpcEndpointServicePermissions",
"ec2:ImportVolume",
"ec2:MoveAddressToVpc",
"ec2:CreateNatGateway",
"ec2:ModifyFleet",
"ec2:RunScheduledInstances",
"ec2:ModifyIdentityIdFormat",
"ec2:CreateVpc",
"ec2:RequestSpotFleet",
"ec2:ModifyImageAttribute",
"ec2:ReleaseHosts",
"ec2:ModifySubnetAttribute",
"ec2:CreateDefaultSubnet",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateSnapshot",
"ec2:DeleteLaunchTemplateVersions",
"ec2:DeleteNetworkAcl",
"ec2:ModifyReservedInstances",
"ec2:ReleaseAddress",
"ec2:CreateInstanceExportTask",
"ec2:DeleteLaunchTemplate",
"ec2:AssociateDhcpOptions",
"ec2:ModifyInstancePlacement",
"ec2:AssignIpv6Addresses",
"ec2:ImportInstance",
"ec2:AttachVpnGateway",
"ec2:AcceptVpcEndpointConnections",
"ec2:ModifyFpgaImageAttribute",
"ec2:ResetSnapshotAttribute",
"ec2:CancelConversionTask",
"ec2:ImportSnapshot",
"ec2:CreateVpnConnectionRoute",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DeleteVpcEndpointConnectionNotifications",
"ec2:CreateLaunchTemplate",
"ec2:RestoreAddressToClassic",
"ec2:DeleteCustomerGateway",
"ec2:EnableVgwRoutePropagation",
"ec2:DisableVpcClassicLink",
"ec2:DisableVpcClassicLinkDnsSupport",
"ec2:AllocateHosts",
"ec2:ModifyVpcTenancy",
"ec2:CancelImportTask",
"ec2:ModifyIdFormat",
"ec2:ConfirmProductInstance",
"ec2:DeleteFlowLogs",
"ec2:CopySnapshot",
"ec2:DeleteSubnet",
"ec2:ModifyVpcEndpointServiceConfiguration",
"ec2:UnmonitorInstances",
"ec2:MonitorInstances",
"ec2:DeleteVpcPeeringConnection",
"ec2:AcceptVpcPeeringConnection",
"ec2:CreateImage",
"ec2:PurchaseHostReservation",
"ec2:CopyImage",
"ec2:DisableVgwRoutePropagation",
"ec2:AssociateVpcCidrBlock",
"ec2:ReplaceRoute",
"ec2:RejectVpcPeeringConnection",
"ec2:AssociateRouteTable",
"ec2:DisassociateVpcCidrBlock",
"ec2:DeleteVolume",
"ec2:CreatePlacementGroup",
"ec2:ReplaceNetworkAclEntry",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:CreateVpnGateway",
"ec2:UnassignIpv6Addresses",
"ec2:ImportImage",
"ec2:DeleteVpnConnection",
"ec2:CreateVpcPeeringConnection",
"ec2:RejectVpcEndpointConnections",
"ec2:EnableVpcClassicLink",
"ec2:PurchaseScheduledInstances",
"ec2:ModifyVolume",
"ec2:ResetImageAttribute",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:CreateVpcEndpointConnectionNotification",
"ec2:ResetNetworkInterfaceAttribute",
"ec2:RegisterImage",
"ec2:CreateRouteTable",
"ec2:DeleteNetworkInterface",
"ec2:CreateFleet",
"ec2:DetachInternetGateway",
"ec2:CreateCustomerGateway",
"ec2:ModifyHosts",
"ec2:ModifyVpcEndpointConnectionNotification",
"ec2:EnableVolumeIO",
"ec2:CreateFlowLogs",
"ec2:AssociateSubnetCidrBlock",
"ec2:DeleteVpc",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:AssociateAddress",
"ec2:DeleteKeyPair",
"ec2:CancelBundleTask",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:PurchaseReservedInstancesOffering",
"ec2:DeleteTags",
"ec2:RequestSpotInstances",
"ec2:CancelSpotFleetRequests",
"ec2:DeleteFleets",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DeleteFpgaImage",
"ec2:DeleteNetworkInterfacePermission",
"ec2:CreateSecurityGroup",
"ec2:CreateNetworkAcl",
"ec2:ModifyVpcAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteEgressOnlyInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:CopyFpgaImage",
"ec2:AllocateAddress",
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteVpnConnectionRoute",
"ec2:ModifyInstanceCreditSpecification",
"ec2:CreateVpcEndpoint",
"ec2:DeleteSecurityGroup",
"ec2:CreateFpgaImage",
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:ModifyLaunchTemplate",
"ec2:AttachNetworkInterface",
"ec2:EnableVpcClassicLinkDnsSupport",
"ec2:CancelReservedInstancesListing",
"ec2:CreateNetworkAclEntry",
"ec2:ResetFpgaImageAttribute"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestedRegion": "eu-central-1"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:RebootInstances",
"ec2:AttachClassicLinkVpc",
"ec2:TerminateInstances",
"ec2:DetachClassicLinkVpc",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:StartInstances",
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestedRegion": "eu-central-1",
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro",
"*.medium",
"t2.large"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
I get the following error whenever I create any kind of Instance either the ones mentioned before or any other types:
Launch Failed
You are not authorized to perform this operation.
Creating security groups Successful (sg-0f49c6462ba8c1f3b)
Authorizing inbound rules Successful
Initiating launches Failure
Upvotes: 2
Views: 1050
Answers (1)
John Rotenstein
Reputation: 270144
The only Actions that would need to be restricted by Instance Type would be RunInstances (to start instances) and ModifyInstanceAttribute (to change an instance type).
You are welcome to assign all other permissions unrestricted by instance type, but restricted by region.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:Region": "<REGION>"
}
}
}
]
}
Easier way to control access to AWS regions using IAM policies | AWS Security Blog also shows another way:
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": "eu-central-1"}}
},
I'm not sure which one is better to use.
Then, to stop the users from launching unwanted instance types, add a Deny policy that overrides the allow policy.
From Limiting Allowed AWS Instance Type With IAM Policy (which includes wildcards for instance types permitted):
{
"Sid": "limitedSize",
"Effect": "Deny",
"Action": ["ec2:RunInstances", "ec2:ModifyInstanceAttribute"],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro",
"*.medium"
]
}
}
}
Or, from How to restrict by regions and instance types in AWS with IAM – : : blyx.com : : Blog : : Toni de la Fuente (which states which instance types are not allowed):
{
"Sid": "OnlyAllowCertainInstanceTypesToBeCreated",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"m2.xlarge",
"cg1.4xlarge",
"c3.4xlarge"
]
}
}
}
Upvotes: 3
Related Questions
- restrict aws iam user to a specific region (eu-west-1)
- AWS IAM: allow IAM user to change EC2 instance type only
- Hide regions not available to AWS IAM user
- IAM users to restrict creating instances in a region
- AWS - Possible to disable regions in interface?
- Restricting access to AWS resources to one specific region
- how to limit instance launch by instance type in AWS using IAM service
- IAM create policy allowing only one region but all global services nesseary
- Aws IAM user permission to specific region and to a particular server
- AWS IAM Permissions for EC2 – Controlling Access on Specific Instances with particular region