Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Limiting Which EC2 Instances a Users Can See

0

Hello,

I am trying to limit which EC2 instances a user can see. My use case is that I am trying to setup a lab for a professor. I want them to be able to see only their systems and be able to start / stop / reboot them as needed. I am trying to limit them to their systems so they do not become confused as to what is and isn't theirs.

I know this can't be done with tagging. I saw this post https://repost.aws/questions/QUUaWdSykIREW4HYDd8T7J7Q/restricting-access-to-ec-2-instances-using-iam-policy where they are trying to do the same thing I am doing but had little to no luck. I also know it can be done in some form or another because if you have ever used AWS Academy you know you don't see other student's instances.

One suggestion I read was to create multiple AWS accounts and combine them into an organization. While this may work it seems like I'm hitting a brass brad with a ten pound hammer. So does anyone have any better ideas on how to do this?

Thank you, TK

Themen
KalkulationAWS Framework mit guter StrukturManagement & Unternehmensführung
Tags
Amazon EC2SicherheitAWS Kontoverwaltung
Sprache
English
TK
gefragt vor 2 Jahren685 Aufrufe
3 Antworten
3
Akzeptierte Antwort

As you have read, you wont be able to limit which instances are displayed in the console even with tags. You can restrict what operations a user can perform like starting and stop;ping instances. See https://aws.amazon.com/premiumsupport/knowledge-center/restrict-ec2-iam/

Multiple accounts would be the best option to achieve what you are trying to do and you can setup a multi-account environment pretty easily with Control Tower.

I dont think you can compare with AWS Academy as that seems to be a learning management system built on AWS which probably has its own mechanisms for filtering what can be seen between accounts.

One other simple thing you can do is give the professors a URL that contains the filter for their EC2 instances. For example, you can tag all of your instances with "Owner" with a value of the name of the Professor. Then give them a URL like this:

https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Instances:v=3;tag:Owner=ProfessorName

Where ProfessorName is their name.

profile pictureAWS
EXPERTE
Matt-B
beantwortet vor 2 Jahren
profile pictureAWS
EXPERTE
Brettski-AWS
überprüft vor 2 Jahren
0

I had a similar request from a question from a customer a while back; what I suggested is that they build a self-service portal for their users - that way they could precisely control the visibility and the actions that could be performed. But it's more work for you to do this.

In this particular case, my customer took some code I wrote as part of this blog post and modified the Workspaces component to control EC2 instead.

That said (and to repeat): It's work that you have to do. I think that Matt-B's answer is better here because you're relying on native AWS constructs so you're not maintaining anything going forward.

profile pictureAWS
EXPERTE
Brettski-AWS
beantwortet vor 2 Jahren
0

Thank you both for such quick replies. I was hoping I had missed an easy solution but it looks like that is not the case. I like Matt-B's idea of providing a like that is filtered. It is not a perfect solution but should work.

I find it amazing that AWS does not provide someway to limit what users can see based on tagging or some other method as it seems I am not the only one trying to do something like this. Again thank you both for your help.

TK
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt