user14226172
Reputation:
IAM policy to allow user to launch EC2 with restrictions
I am working on an IAM policy that allows the IAM user to only launch the instance "ami-0885b1f6bd170450c" in the region "us-east-1" with the EBS volume of no more than 20gb . I am not sure what mistake I am making after reviewing the policy only RunInstances is shown.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1::image/ami-0885b1f6bd170450c",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:InstanceType": "t2.micro"
},
"StringEquals": {
"ec2:Region": "us-east-1"
}
}
},
{
"Sid": "EC2CreateVolume",
"Effect": "Allow",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"ec2:VolumeSize": "20"
}
}
}
]
}
This is the decrypted error message I got while launching
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "AIDAYGEGJ25OKBMOEFSLA",
"name": "some-user",
"arn": "arn:aws:iam::562922379100:user/some-user"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-1:562922379100:instance/*",
"conditions": {
"items": [
{
"key": "ec2:MetadataHttpPutResponseHopLimit",
"values": {
"items": [
{
"value": "1"
}
]
}
},
{
"key": "ec2:InstanceMarketType",
"values": {
"items": [
{
"value": "on-demand"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "instance/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "562922379100"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1e"
}
]
}
},
{
"key": "ec2:ebsOptimized",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:InstanceType",
"values": {
"items": [
{
"value": "t2.micro"
}
]
}
},
{
"key": "ec2:RootDeviceType",
"values": {
"items": [
{
"value": "ebs"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "ec2:MetadataHttpEndpoint",
"values": {
"items": [
{
"value": "enabled"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:InstanceID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "ec2:MetadataHttpTokens",
"values": {
"items": [
{
"value": "optional"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "instance"
}
]
}
},
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:562922379100:instance/*"
}
]
}
}
]
}
}
}
Upvotes: 0
Views: 718
Answers (1)
MisterSmith
Reputation: 3624
ec2:TerminateInstances, ec2:StopInstances & ec2:StartInstances operate on the instance (arn:aws:ec2:us-east-1::instance/*) not the image/AMI (arn:aws:ec2:us-east-1::image/ami-0885b1f6bd170450c).
I also think you will have issues launching instances with just this policy as your missing some required resources.
Here is an AWS sample for restricting launching ec2 instance by AMI and TAG you might be able to adapt.
Upvotes: 2
Related Questions
- IAM policy to allow EC2 instance API access only to modify itself
- IAM user policy that can only triggered by a AWS service (Condition)
- AWS Policy Restrict Permission Based On Service
- IAM policy to restrict EC2 access based on tag
- AWS IAM Policy to restrict Read Acces on EC2 instances
- IAM policy to restrict users to instances in a specific VPC
- Restrict an IAM policy to run only in an specified account
- How to allow users to launch EC2 instances only from Service Catalog?
- Amazon IAM User Policy To Limit Launch Instances
- Allow AWS IAM user to launch only one ec2 instance