How do I create an IAM policy to explicitly grant permissions to create and manage EC2 instances in a specified VPC that has tags?

4 minute read
0

I want to create an AWS Identity and Access Management (IAM) policy that explicitly grants permissions to IAM identities to manage Amazon Elastic Compute Cloud (Amazon EC2) instances in a virtual private cloud (VPC).

Short description

The IAM policy must limit the IAM identity's permissions to manage the instances in the VPC that has tags.

Amazon EC2 provides partial resource-level permissions, but there are several service-level actions, resources, and conditions that you can use. To control access to EC2 resources, use resource tags.

Resolution

Create a policy that grants permissions to launch the instances in the VPC but restricts the IAM identity's permissions to manage the instances. To restrict the management of instances, use the ec2:ResourceTag policy condition.

Create a managed policy to attach to the IAM identities that launch your instances

Complete the following steps:

  1. Open the IAM console, choose Policies, and then choose Create Policy.

  2. Choose the JSON tab, and then enter the following custom policy:

    {  "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "GrantIAMPassRoleOnlyForEC2",
          "Action": [
            "iam:PassRole"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME",
            "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME"
          ],
          "Condition": {
            "StringEquals": {
              "iam:PassedToService": "ec2.amazonaws.com"
            }
          }
        },
        {
          "Sid": "ReadOnlyEC2WithNonResource",
          "Action": [
            "ec2:Describe*",
            "iam:ListInstanceProfiles"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "ModifyingEC2WithNonResource",
          "Action": [
            "ec2:CreateKeyPair",
            "ec2:CreateSecurityGroup"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "RunInstancesWithTagRestrictions",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
            "arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:RequestTag/TAG-KEY": "TAG-VALUE"
            }
          }
        },
        {
          "Sid": "RemainingRunInstancePermissionsNonResource",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "Resource": [
            "arn:aws:ec2:REGION::image/*",
            "arn:aws:ec2:REGION::snapshot/*",
            "arn:aws:ec2:REGION:ACCOUNTNUMBER*:network-interface/*",
            "arn:aws:ec2:REGION:ACCOUNTNUMBER*:key-pair/*",
            "arn:aws:ec2:REGION:ACCOUNTNUMBER*:security-group/*"
          ]
        },
        {
          "Sid": "EC2RunInstancesVpcSubnet",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:subnet/*",
          "Condition": {
            "StringEquals": {
              "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
            }
          }
        },
        {
          "Sid": "EC2VpcNonResourceSpecificActions",
          "Effect": "Allow",
          "Action": [
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:DeleteSecurityGroup",
            "ec2:CreateNetworkInterfacePermission",
            "ec2:CreateRoute",
            "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
            "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
          ],
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
            }
          }
        },
        {
          "Sid": "AllowInstanceActionsTagBased",
          "Effect": "Allow",
          "Action": [
            "ec2:RebootInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:StartInstances",
            "ec2:AttachVolume",
            "ec2:DetachVolume",
            "ec2:AssociateIamInstanceProfile",
            "ec2:DisassociateIamInstanceProfile",
            "ec2:GetConsoleScreenshot",
            "ec2:ReplaceIamInstanceProfileAssociation"
          ],
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
            "arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
          ],
          "Condition": {
            "StringEquals": {
              "ec2:ResourceTag/TAG-KEY": "TAG-VALUE"
            }
          }
        },
        {
          "Sid": "AllowCreateTagsOnlyLaunching",
          "Effect": "Allow",
          "Action": [
            "ec2:CreateTags"
          ],
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
            "arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
          ],
          "Condition": {
            "StringEquals": {
              "ec2:CreateAction": "RunInstances"
            }
          }
        }
      ]
    }

    Note: Replace the ACCOUNTNUMBER, REGION, TAG-KEY, TAG-VALUE, VPC-ID, and ROLENAME parameters with your values.

  3. (Optional) To assign the policy to only IAM users or groups, replace the TAG-KEY or TAG-VALUE parameters with the ${aws:username} IAM policy variable. This policy variable allows IAM to prepopulate the parameters with the friendly name of the IAM user. IAM users can launch an instance in only the specified VPC and control their own instances.

  4. Choose Review policy, and then enter a name. For example, enter VPC_Lockdown_VPC-ID.

  5. Choose Create policy.
    Note: You must replace some items with specific resources from your environment. For more information, see Amazon Resource Names (ARNs).

Attach the policy to a user, group, or role

Complete the following steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Users, Groups, or Roles and then choose the IAM identity.
  3. Choose Add permissions, and then choose Attach policies.
  4. Enter the name of the policy, and then choose your policy.
  5. Choose Attach Policy.

When the custom policy is attached, the IAM identity can sign in to the AWS Management Console, open the EC2 dashboard, and launch an EC2 instance. The IAM identity must specify the subnet, VPC, and tag to launch the EC2 instance.

The ec2:ResourceTags condition restricts the following actions:

  • Start an instance.
  • Stop an instance.
  • Reboot an instance.
  • Terminate an instance.
  • Attach a volume to the instance.
  • Detach a volume from the instance.
  • Disassociate the IAM instance profile from the instance.
  • Associate an instance profile.
  • Replace the IAM instance profile association for the instance.
  • Get a console screenshot of the instance.

The policy restricts the following actions against the VPC:

  • Delete security groups.
  • Create and delete routes.
  • Delete route tables.
  • Delete network access control lists (network ACLs).
  • Delete network ACL entries.
  • Authorize or revoke security group ingress and egress rules.
  • Create network interface permissions.
  • Update security group description for ingress and egress rules.

Related information

How do I use the PrincipalTag, ResourceTag, RequestTag, and TagKeys condition keys to create an IAM policy for tag-based restriction?

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago