Restricting access to EC2 instances using IAM Policy

0

Hi all,

I'm trying to restrict access to EC2 instances (especially describe-instances) to a IAM User with a IAM Policy (using Tags) as described in the following post: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/

I added the following tag "Environment/Labs" to few EC2 instances.

I then created the following IAM Policy that I attached to a IAM user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Environment": "Labs"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        }
    ]
}

Unfortunately, this is not working and I'm able to list all the instances. ;(

Any hint on what I'm missing here?

Note: I tried to attach the condition to the Describe*/DescribeInstances action and this was blocking any access to EC2 instances.

Many thanks in advance for the help, Best regards, Fred

4回答
2

According to the latest IAM Policy Reference for EC2, there are no resources or conditions that can be applied to the DescribeInstances action that can be used to restrict the scope of what can be described. So it is all-or-nothing: if you allow DescribeInstances to any principal, all instances can be described.

AWS
エキスパート
回答済み 2年前
1
承認された回答

Hi Fred,

The ability to run the DescribeInstances API is required to gain visibility to these resources. You need this visibility to know what instances are there. The first part of your policy will allow additional commands on those resources matching the condition, in your case preventing changes to any instances not tagged with "Environment = Labs". You cannot prevent seeing the names of all resources but you can prevent actions on resources not matching the condition.

AWS
Bert_Z
回答済み 2年前
1

Describe instance can not be restricted using condition but Depending on your business requirement if it is must to avoid the user from seeing all instances you can consider moving to multi-account setup.

Or you can completely disable the describe instance permission for the user and provide the list of instance IDs by other means, e.g lambda + s3. But it depends on your use-case and problem you are trying to solve.

回答済み 2年前
0

Thanks to all of you @Bert_Z @Michael_F and @hameedullah.

That was my understanding that the describe_instances can not be restricted, but I have to admit I was a bit confused with the blog post and that's why I tried it. I have to admit that it would be a great feature to be able to limit visibility using IAM policy instead of applying some filter later on when the full list is retrieved.

回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ