- Newest
- Most votes
- Most comments
Hi!
Good question. When crafting IAM Policies, keep in mind that some actions do not support resource-level permissions. If those do not support resource-level permissions, you must specify all resources ("*") in the Resource element of the policy for it to work.
You can determine if actions support resource-level permissions by the actions page (example below). If there are no values in the Resource types column, that means it does not support resource-level permissions.
In your case with DescribeInstances, that action does not support resource-level permissions and must come with all resources specified.
What you can do is separate out the actions that do not support resource-level permissions into 1 block and the ones that do into another block to achieve more granular IAM policies like you're trying to do above.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
You could also limit access based on tags instead of instance IDs. As an example, below statement gives access to all resources where resource either doesn't have "owner" -tag OR "owner" -tag has the same value as pricipals (=IAM user or role) "owner" -tag has. Untagged resources are accessible for everyone using this policy, but once "owner" tag is attached, only the user (or role) with the same owner -tag value can modify it (including changening the tag).
- Sid: 'AllowUnlessOwnedBySomeoneElse'
Effect: Allow
Action: '*'
Resource: '*'
Condition:
StringEqualsIfExists:
'aws:RequestTag/owner': ${aws:PrincipalTag/owner}
'aws:ResourceTag/owner': ${aws:PrincipalTag/owner}
You can then limit Actions same way you did to EC2s etc. There are also other variables you can use in place of aws:PrincipalTag. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
Above statement is part of longer story how you can isolate multiple teams working on single account, and yet allow them to create their own IAM policies. https://carriagereturn.nl/aws/iam/policy/boundary/2021/10/07/iambound.html
Oh dang that looks really promising. Ill give it a try. If this works, it would really help me isolate this even further.
Relevant content
- Accepted Answerasked a year ago
- asked 3 months ago
- asked a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
Awesome thanks so much for that I had no clue. Ill give that a try real fast and let you know how that goes.