Reputation: 1343
AWS IAM policy to restrict access to specific ec2 instances via ec2-instance-connect
I am creating a IAM policy to grant access to third party developers so that they can connect to EC2 instances in private subnet via ec2-instance-connect.
The developers should only connect to specific instances via ec2-connect. How I can implement the policy?
My policy is below:
AWSTemplateFormatVersion: 2010-09-09
Description: Template for API functionality xxxxx
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Environment basic parameters
Parameters:
- Env
- AccountID
ParameterLabels:
Env:
default: Environment ID
AccountID:
default: Account ID
Parameters:
Env:
Description: Unique environment.
Type: String
Default: lab
AccountID:
Description: Account ID.
Type: String
Default: 11113333444455
Resources:
SiteManagementRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub 'Role-${Env}'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: default
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountID}:root'
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: !Sub 'Policy-${Env}'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: VisualEditor0
Effect: Allow
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*'
- Sid: VisualEditor1
Effect: Allow
Action:
- 'ec2:DescribeImages'
- 'ec2:DescribeInstances'
- 'ec2:DescribeTags'
- 'ec2:DescribeInstanceAttribute'
- 'ec2:DescribeInstanceTypes'
- 'ec2:DescribeInstanceStatus'
Resource: '*'
# Condition:
# StringEquals:
# 'ec2:ResourceTag/Env': !Sub '${Env}'
- Sid: VisualEditor2
Effect: Allow
Action:
- 'logs:ListTagsLogGroup'
- 'logs:GetLogRecord'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:StartQuery'
- 'logs:StopQuery'
- 'logs:TestMetricFilter'
- 'logs:GetLogDelivery'
- 'logs:GetQueryResults'
- 'logs:GetLogEvents'
- 'logs:FilterLogEvents'
- 'logs:GetLogGroupFields'
Resource: '*'
I need to appy access restriction based on tags but there should be better way to do this which will restrict developers to connect to specific instances.
Here :
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*' <---I dont want it to be *
Please help.
Thanks in advance
Upvotes: 0
Views: 4767
Answers (2)
Reputation: 881
AWS now has a guide that gives an example policy restricting permission only to instances with a specific tag :
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": "arn:aws:ec2:region:account-id:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/tag-key": "tag-value"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
Upvotes: 0
Reputation: 269101
From Set Up EC2 Instance Connect - Amazon Elastic Compute Cloud:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": [
"arn:aws:ec2:region:account-id:instance/i-1234567890abcdef0",
"arn:aws:ec2:region:account-id:instance/i-0598c7d356eba48d7"
],
"Condition": {
"StringEquals": {
"ec2:osuser": "ami-username"
}
}
}
]
}
The above policy will restrict access to specific instances and specific usernames. I'm not sure if the instances can be identified by Tag. You'll need to do some experimenting.
Upvotes: 3
Related Questions
- AWS IAM EC2 policy limited to originating instance
- AWS IAM policy to restrict access to c7g.large instance only
- IAM Policy to only allowing viewing and editing EC2 instances by group
- Creating IAM policy in AWS to protect seeing all EC2 instances
- AWS IAM Policy restrict access to resources based on parent Cloudformation
- IAM policy to restrict EC2 access based on tag
- AWS IAM Policy to Grant All service permission to specific instances
- IAM policy to restrict users to instances in a specific VPC
- AWS IAM Policy for restricting instances by associated IAM role
- Is there a way to limit IAM access from within EC2 instance