AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How do I restrict access of IAM Identities to specific Amazon EC2 resources?
I want to restrict the access of AWS Identity and Access Management (IAM) identities to a specific Amazon Elastic Compute Cloud (Amazon EC2) resource.
Short description
Amazon EC2 has partial support for resource-level permissions or conditions. You can use resource-level permissions to control how IAM identities are allowed to access specific Amazon EC2 resources.
You can also use ABAC (authorization based on tags) to control access to AWS resources. For more information, see IAM tutorial: Define permissions to access AWS resources based on tags.
Resolution
Use the following example IAM policies to restrict access to Amazon EC2 instances for your use case. Then, attach the policy to the IAM identity that you want to restrict access to.
Restrict access to only start, stop, or reboot instances
The following example policy restricts the access of an IAM identity to only start, stop, or reboot EC2 instances:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": [ "arn:aws:ec2:*:AccountId:instance/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/Owner": "Bob" } } } ] }
Note: Replace Owner with your tag key, Bob with your tag value, and AccountId with your AWS account ID.
To restrict other Amazon EC2 resources by AWS Region, make sure that the actions support resource-level permissions and conditions.
Restrict the launch of EC2 instances by tag
The following example policy uses the Owner tag key to restrict the access of an IAM identity to only launch EC2 instances:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:AccountId:instance/*" ], "Condition": { "StringNotLike": { "aws:RequestTag/Owner": "*" } } }, { "Sid": "AllowRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Sid": "AllowToDescribeAll", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "*" }, { "Sid": "AllowCreateTagsOnLaunching", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:AccountId:*/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances" ] } } } ] }
Note: Replace Owner with your tag key and AccountId with your account ID.
Restrict launch of EC2 instances by instance type
The following example policy restricts access of an IAM identity to only launch EC2 instances with the t3.* instance type:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:AccountId:instance/*" ], "Condition": { "StringNotLike": { "ec2:InstanceType": "t3.*" } } }, { "Sid": "AllowRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Sid": "AllowToDescribeAll", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "*" }, { "Sid": "AllowCreateTagsOnLaunching", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:AccountId:*/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances" ] } } } ] }
Note: Replace the instance type t3.* with your instance type, for example t3.nano. Also, replace AccountId with your account ID.
For more information, see Amazon EC2 instance type naming conventions.
Related information
How do I create an IAM policy to control access to Amazon EC2 resources through tags?
- Language
- English
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago