- 최신
- 최다 투표
- 가장 많은 댓글
Hi There
Another option would be to allow the users to stop/start from the CLI.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/start-instances.html
You could create a role that allows them to ONLY perform start/stop actions on their own EC2 instance using tags. See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_tag-owner.html
If you don't want to authenticate with AWS IAM (and I am guessing you don't want to make this feature public), you need to authenticate the user one way or the other. The "correct answer" here would be to use Cognito or a similar service to authenticate to a lightweight website backed by lambda to orchestrate the EC2.
I can think of one different hack that could work, BUT IT'S A HACK!
If your organization uses a VPN or Bastian, you should have a predictable IP or be able to work from a VPC. You should be able to give them access to S3 or SNS using a condition with "aws:SourceIp" or "aws:VpcSourceIp" or similar. Then use that service (ex, upload a dummy file to s3 using curl) to trigger a lambda that starts the EC2.
But I think you are better off using Cognito or an AWS IAM User!
Thanks, I know about that. I have edited my question to also say that the users of the EC2 instance in question should not have access to the AWS CLI.