Specify Individual Instance In Trust Policy Of IAM Role

Question

The following trust policy is the default trust policy for an EC2 instance role.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                    "ec2.amazonaws.com"
                ]
            }
        }
    ]
}
```

Is it possible to limit this trust policy to allow the role to only be attached to a specific instance? I know that it would be possible to only grant the IAM permissions to a user to pass this role to a specific instance but I would also like to limit the scope of this role to a specific instance at the same time.

Accepted Answer

I could not find a way to do this and this article confirms this, [How to use trust policies with IAM roles](https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/):

```
Several customers have asked if it’s possible to design a trust policy for an IAM role such that it can only be passed to a specific Amazon EC2 instance. This isn’t directly possible. You cannot place the Amazon Resource Name (ARN) for an EC2 instance into the Principal of a trust policy, nor can you use tag-based condition statements in the trust policy to limit the ability for the role to be used by a specific resource.

The only option is to manage access to the iam:PassRole action within the permission policy for those IAM principals you expect to be attaching IAM roles to AWS resources. This special Action is evaluated when a principal tries to attach another IAM role to an AWS service or AWS resource.
```

Specify Individual Instance In Trust Policy Of IAM Role

関連するコンテンツ