En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Restricting access to EC2 instances using IAM Policy

0

Hi all,

I'm trying to restrict access to EC2 instances (especially describe-instances) to a IAM User with a IAM Policy (using Tags) as described in the following post: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/

I added the following tag "Environment/Labs" to few EC2 instances.

I then created the following IAM Policy that I attached to a IAM user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Environment": "Labs"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        }
    ]
}

Unfortunately, this is not working and I'm able to list all the instances. ;(

Any hint on what I'm missing here?

Note: I tried to attach the condition to the Describe*/DescribeInstances action and this was blocking any access to EC2 instances.

Many thanks in advance for the help, Best regards, Fred

Sujets
Sécurité, identité et conformitéCalcul
Balises
Gestion des identités et des accès AWSAmazon EC2
Langue
English
FredericD
demandé il y a 2 ans2199 vues
4 réponses
2

According to the latest IAM Policy Reference for EC2, there are no resources or conditions that can be applied to the DescribeInstances action that can be used to restrict the scope of what can be described. So it is all-or-nothing: if you allow DescribeInstances to any principal, all instances can be described.

AWS
EXPERT
MichaelFischer
répondu il y a 2 ans
1
Réponse acceptée

Hi Fred,

The ability to run the DescribeInstances API is required to gain visibility to these resources. You need this visibility to know what instances are there. The first part of your policy will allow additional commands on those resources matching the condition, in your case preventing changes to any instances not tagged with "Environment = Labs". You cannot prevent seeing the names of all resources but you can prevent actions on resources not matching the condition.

AWS
Bert_Z
répondu il y a 2 ans
1

Describe instance can not be restricted using condition but Depending on your business requirement if it is must to avoid the user from seeing all instances you can consider moving to multi-account setup.

Or you can completely disable the describe instance permission for the user and provide the list of instance IDs by other means, e.g lambda + s3. But it depends on your use-case and problem you are trying to solve.

hameedullah
répondu il y a 2 ans
0

Thanks to all of you @Bert_Z @Michael_F and @hameedullah.

That was my understanding that the describe_instances can not be restricted, but I have to admit I was a bit confused with the blog post and that's why I tried it. I have to admit that it would be a great feature to be able to limit visibility using IAM policy instead of applying some filter later on when the full list is retrieved.

FredericD
répondu il y a 2 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents