Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I create an IAM policy to explicitly grant permissions to create and manage EC2 instances in a specified VPC that has tags?
I want to create an AWS Identity and Access Management (IAM) policy that explicitly grants permissions to IAM identities to manage Amazon Elastic Compute Cloud (Amazon EC2) instances in a virtual private cloud (VPC).
Short description
The IAM policy must limit the IAM identity's permissions to manage the instances in the VPC that has tags.
Amazon EC2 provides partial resource-level permissions, but there are several service-level actions, resources, and conditions that you can use. To control access to EC2 resources, use resource tags.
Resolution
Create a policy that grants permissions to launch the instances in the VPC but restricts the IAM identity's permissions to manage the instances. To restrict the management of instances, use the ec2:ResourceTag policy condition.
Create a managed policy to attach to the IAM identities that launch your instances
Complete the following steps:
-
Open the IAM console.
-
Choose Policies, and then choose Create Policy.
-
Choose the JSON tab, and then enter the following custom policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GrantIAMPassRoleOnlyForEC2", "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::account_number:role/role_name", "arn:aws:iam::account_number:role/role_nameE" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Sid": "ReadOnlyEC2WithNonResource", "Action": [ "ec2:Describe*", "iam:ListInstanceProfiles" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "ModifyingEC2WithNonResource", "Action": [ "ec2:CreateKeyPair", "ec2:CreateSecurityGroup" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "RunInstancesWithTagRestrictions", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:a:instance/*", "arn:aws:ec2:region:account_number:volume/*" ], "Condition": { "StringEquals": { "aws:RequestTag/TAG-KEY": "tag_value" } } }, { "Sid": "RemainingRunInstancePermissionsNonResource", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:REGION::image/*", "arn:aws:ec2:REGION::snapshot/*", "arn:aws:ec2:region:account_number:network-interface/*", "arn:aws:ec2:region:account_number:key-pair/*", "arn:aws:ec2:region:account_number:security-group/*" ] }, { "Sid": "EC2RunInstancesVpcSubnet", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:region:account_number:subnet/*", "Condition": { "StringEquals": { "ec2:Vpc": "arn:aws:ec2:region:account_number:vpc/VPC-ID" } } }, { "Sid": "EC2VpcNonResourceSpecificActions", "Effect": "Allow", "Action": [ "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:CreateNetworkInterfacePermission", "ec2:CreateRoute", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:Vpc": "arn:aws:ec2:region:account_number:vpc/VPCID" } } }, { "Sid": "AllowInstanceActionsTagBased", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:StartInstances", "ec2:AttachVolume", "ec2:DetachVolume", "ec2:AssociateIamInstanceProfile", "ec2:DisassociateIamInstanceProfile", "ec2:GetConsoleScreenshot", "ec2:ReplaceIamInstanceProfileAssociation" ], "Resource": [ "arn:aws:ec2:region:account_number:instance/*", "arn:aws:ec2:region:account_number:volume/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/TAG-KEY": "Tag_key" } } }, { "Sid": "AllowCreateTagsOnlyLaunching", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:region:account_number:instance/*", "arn:aws:ec2:region:account_number:volume/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }Note: Replace account_number, region,tag_key, tag_value,VPC-ID, and role_nameparameters with your values.
-
Choose Review policy, and then enter a name.
-
Choose Create policy.
Note: You must replace some items with specific resources from your environment. For more information, see Identify AWS resources with Amazon Resource Names (ARNs).
Attach the policy to a group
Complete the following steps:
- Open the IAM console.
- In the navigation pane, choose User groups and then choose the group name.
Note: It's a best practice to attach policies to user groups, then add the user to the appropriate group. - Choose Add permissions, and then choose Attach policies.
- Enter the name of the policy, and then choose your policy.
- Choose Attach Policy.
When you attach the custom policy, the IAM identity can access the AWS Management Console. The IAM identity can then open the EC2 dashboard and launch an EC2 instance. The IAM identity must specify the subnet, VPC, and tag to launch the EC2 instance.
The ec2:ResourceTags condition restricts the following actions:
- Start an instance.
- Stop an instance.
- Reboot an instance.
- Terminate an instance.
- Attach a volume to the instance.
- Detach a volume from the instance.
- Disassociate the IAM instance profile from the instance.
- Associate an instance profile.
- Replace the IAM instance profile association for the instance.
- Get a console screenshot of the instance.
The policy restricts the following actions against the VPC:
- Delete security groups.
- Create and delete routes.
- Delete route tables.
- Delete network access control lists (network ACLs).
- Delete network ACL entries.
- Authorize or revoke security group ingress and egress rules.
- Create network interface permissions.
- Update security group description for ingress and egress rules.
Related information
- Language
- English
Relevant content
- asked 3 years ago
- asked 3 years ago
- asked 5 months ago
