Amazon EBS will support AWS global condition keys and seven EC2-specific keys for source snapshots in CopySnapshot and CreateVolume requests

0

Can anyone help me understand the recent changes taking place for AWS CreateVolume and CreateSnapshot EBS API where we need to make changes in policy permissions.

2개 답변
2

So far, permission policies haven't evaluated seven specific EC2-specific condition keys and all the global condition keys for the snapshot specified for ec2:CreateVolume operations or as the source snapshot for ec2:CopySnapshot operations. The seven EC2-specific keys are ec2:ProductCode, ec2:Encrypted, ec2:VolumeSize, ec2:ParentSnapshot, ec2:Owner, ec2:ParentVolume, and ec2:SnapshotTime.

What AWS is changing today is that the condition keys start to be evaluated for the source snapshot in those operations.

If you received the health notification, you probably have one of the keys contained in some policy applied in your account. It doesn't necessarily mean that the change would break anything, but for example, if you had a "Deny" statement in some of your policies blocking operations when they contain the ec2:Encrypted key with a false value, then before the change, that would have prevented creating unencrypted EBS volumes, but after the change, it would additionally prevent volumes from being created from unencrypted snapshots. The EBS snapshots of public AMIs, such as those that most would use to launch basic, uncustomised virtual servers, are unencrypted, so the preexisting Deny statement would suddenly start blocking regular server launches. Previously, the ec2:Encrypted key wouldn't have been present in ec2:CreateVolume operations with the snapshot as the resource, and that's why even a broadly applied Deny statement wouldn't have matched it.

Of the global condition keys (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html), it would probably be keys like aws:ResourceTag/tag-key, aws:ResourceAccount, or aws:ResourceOrgID that are most typically used to restrict operations in a way that might lead to access to the snapshots to be blocked inadvertently. For example, if creating volumes was meant to require certain tags but the policy statement isn't scoped to resources of the volume type, the restrictions would also start to get evaluated for the source snapshots from which volumes are created.

If you notice anything not working after the change is implemented, you should review the policies applied to the acting principal and check for statements that either allow actions conditionally based on any of those seven EC2 keys or the global condition keys, or explicitly deny actions based on them, and adjust them so that the actions that are needed are permitted. If you have CloudTrail logs sent to an S3 bucket and have Athena or another solution for analysing them, you can look for operations with eventSource = ec2.amazonaws.com and errorCode "is not null" to find them. Note that the logged eventName might not be CreateVolume, for example, but RunInstances or another operation that gets the associated CreateVolume permission authorised as part of executing the parent operation.

전문가
답변함 2달 전
profile picture
전문가
검토됨 2달 전
profile picture
전문가
검토됨 2달 전
0

Hello @Intros

To modify policy permissions for the AWS CreateVolume and CreateSnapshot EBS API actions, follow these steps:

Step 1: Identify Required Permissions Determine the specific permissions needed for the CreateVolume and CreateSnapshot actions. The basic permissions required are:

ec2:CreateVolume ec2:CreateSnapshot

Step 2: Update IAM Policy You need to update the IAM policy associated with the user or role that will perform these actions. Here’s how to do it:

Navigate to IAM in the AWS Management Console:

Go to the AWS Management Console. Select "IAM" from the services menu. Find the User or Role:

Click on "Users" or "Roles" depending on who needs the permissions. Select the specific user or role. Attach or Edit Policy:

If you need to create a new policy, click on "Add permissions" and then "Create policy". If you are editing an existing policy, click on the policy name and then "Edit policy". Add Permissions:

In the policy editor, you can use the JSON tab to add the following permissions: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:CreateSnapshot" ], "Resource": "*" } ] } Adjust the "Resource" field as necessary to restrict access to specific resources. Review and Save:

Review the changes and click "Review policy" or "Save changes" to apply the new permissions.

Step 3: Test Permissions After updating the policy, test the permissions by attempting to create a volume and a snapshot using the AWS CLI or SDK to ensure that the changes were successful.

Final Answer You need to add ec2:CreateVolume and ec2:CreateSnapshot permissions to the IAM policy for the relevant user or role in AWS IAM.

If the Answer is helpful, please click Accept Answer & UPVOTE, this can be beneficial to other community members.

profile picture
답변함 2달 전
profile picture
전문가
검토됨 2달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠