how to scope ec2:RunInstances action

0

I am looking a way to scope ec2:RunInstance and enable user to launch instances if they a particular tag on it, how can i achieve this?

2 Risposte
1

you can create an IAM group or role, such as EC2LaunchAllowed, and attach a policy allowing the necessary actions to this group or role. Then, add users who should have this permission to the group or assign them the role. This approach is both straightforward and secure.

profile picture
ESPERTO
con risposta 2 mesi fa
profile picture
ESPERTO
verificato 2 mesi fa
0

Hello.

When creating EC2, I think the following documents will be helpful.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/supported-iam-actions-tagging.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyRunInstancesWithoutTag",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/Project": "true"
                }
            }
        }
    ]
}

If you want to start EC2, you can use "ec2:StartInstances".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "Null": {
                    "ec2:ResourceTag/Owner": false
                },
                "StringEqualsIfExists": {
                    "ec2:ResourceTag/Owner": "HOGE"
                }
            }
        }
    ]
}
profile picture
ESPERTO
con risposta 2 mesi fa
profile picture
ESPERTO
verificato 2 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande