Reputation: 139
Access to IAM users for EC2 Instance Connect
How can I restrict the user from connecting to my Linux instance using EC2 Instance Connect?
I have tried to set policy and attach users to connect for my newly created Amazon Linux 2 instance using EC2 Instance Connect:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": "arn:aws:ec2:eu-west-2:111122223333:instance/*"
},
{
"Effect": "Allow",
"Action": [
"ec2-instance-connect:SendSSHPublicKey",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "Bob"
}
}
}
]
}
But, it doesn't seem to work.
Presently the newly created instance can be accessed by everyone.
So, I want to set a policy to that particular instance that only the specified IAM users can access it and others cannot.
Is there a way to achieve this?
Upvotes: 1
Views: 6364
Answers (1)
Reputation: 270039
Your Deny policy is overriding your Allow policy.
Your statements are saying:
- Do not allow this user to use EC2 Instance Connect on any instance
- Allow this user to use EC2 Instance Connect on any instance with the given tag
However, Deny always beats Allow.
You could simply remove your Deny policy. This would grant permission for EC2 Instance Connect only to the tagged instances (assuming that the user has not also been given permission elsewhere).
Upvotes: 5
Related Questions
- How to assign IAM role to users or groups
- AWS: How to give an IAM user access to an EC2 instance
- Login as IAM User using AWS SDK
- Create an IAM user to give access to perform certain tasks in AWS EC2
- AccessDenied for EC2 Instance with attached IAM Role
- How to manage multiple IAM users on a single EC2 instance?
- IAM access to EC2 REST API?
- Can't see IAM user instances in AWS
- assign IAM user to access only one EC2 instance
- How can I allow a single user to have access of an ec2 instance in AWs console using IAM