By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

instance refuses to start with sucesses notification

0

Hi Community!

I have created a IAM user that I have only given them access to start and stop an instance. I have applied the below

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "arn:aws:ec2:::instance/", "Condition": { "StringEquals": { "aws:ResourceTag/Owner": "${aws:username}" } } }, { "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "" } ] }

and tagged the Instance I want them to have the ability to start or stop instance with the tag Owner and the users name.

When I start the instance with the user. it says "successfully started" changes to a pending state, then goes back to stopped after about 1 second however, it will allow me to turn off the EC2 Instance.

Topics
ComputeSecurity, Identity, & Compliance
Tags
Amazon EC2IAM Policies
Language
English
rePost-User-5684989
asked a year ago215 views
1 Answer
0

If the instance is going from "successfully started" to a "stopped" state after about 1 second, it's possible that the instance is failing to launch properly.

You can try checking the instance's console output to see if there are any error messages that can help diagnose the issue.

  1. Go to the EC2 console.
  2. Select the instance that is failing to start.
  3. Click on the "Actions" button at the top of the page.
  4. Select "Instance Settings", then "Get System Log".
  5. Review the log output for any error messages that may indicate why the instance is failing to start.

You can also try updating the IAM policy to allow the user to describe instance status and see if that helps provide more information on why the instance is failing to start.

Here is an example of an updated IAM policy that allows the user to describe instance status:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "arn:aws:ec2:::instance/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Owner": "${aws:username}"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus"
      ],
      "Resource": "*"
    }
  ]
}

Remember to replace the existing IAM policy with the updated version and to retest the start/stop instance functionality with the IAM user.

hash
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content