By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Writing IAM Policy to ModifyInstanceAttribute - DeleteOnTermination

0

Dear Experts,

I am executing below command from my ec2 instance. (instance id changed on purpose)

aws ec2 modify-instance-attribute --instance-id i-12345 --block-device-mappings "[{"DeviceName": "/dev/sda1","Ebs":{"DeleteOnTermination":false}}]"

I configured following below policy but its still giving me unauthorized error.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:ModifyInstanceAttribute", "Resource": "arn:aws:ec2::111111111:instance/", "Condition": { "StringEquals": { "ec2:Attribute": "BlockDeviceMapping" } } } ] }

In above, i changed BlockDeviceMapping to DeleteOnTermination, but it didnt work. Can someone tell me how to write the policy?

Topics
ComputeSecurity, Identity, & Compliance
Tags
Amazon EC2IAM Policies
Language
English
Voltron101
asked 10 months ago329 views
1 Answer
0

I havent tried this before, however in the documentation the Case is different than your policy..

Try blockDeviceMapping

Your Instance policy may need to have instance/* for any Instance unless you remove that due to being sensitive

profile picture
EXPERT
Gary Mclean
answered 10 months ago
  • Voltron101
    10 months ago

    this is my policy now, it still doesnt work

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:ModifyInstanceAttribute", "Resource": "*", "Condition": { "StringEquals": { "ec2:Attribute": "blockDeviceMapping" } } } ] }

  • Riku_Kobayashi EXPERT
    10 months ago

    What about "BlockDeviceMappings"? Is there any chance that your policy will not work because it is not in the plural?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content