By using AWS re:Post, you agree to the Terms of Use

Create IAM user for a specific EC2 instance

0

Hi there, Previously we have deployed an EC2 instance using AWS goat: https://github.com/ine-labs/AWSGoat

However, we deployed it with administrator user access. The account will need access to the following services:

  • API gateway
  • S3 Bucket
  • Lambda
  • DynamoDB
  • Ec2
  • Security Groups
  • VPC
  • Roles
  • Policies

How can I do this?

1 Answer
0

I want to start by making sure that you understand you've deployed an EC2 instance which is deliberately vulnerable to a bunch of attacks. If you did not intend to do this please consider shutting it down.

If you are aware, that's ok. To your question:

There are a few concepts there that seem to be a bit jumbled.

You say "we deployed it with administrator access". Does this mean that the EC2 instance role has the IAM AdministratorAccess policy assigned to it? If so, that means that the instance has the ability to do all of the things that you've listed; but also more.

If you wish to limit that instance so that it can only add/modify/remove the AWS components that you've listed then you will need to write an IAM policy (or one policy per service if you like) and attach those policies to the instance role while removing the AdministratorAccess policy.

Note that "access" to someting like API Gateway can mean many thing: Is it the ability to create and administer API Gateway? Or is it the ability to call existing APIs that are hosted in APi Gateway?

Also, "access" could mean "read only" or it might mean "modify" so best to clarify what you need the instance to do and the write the appropriate policies.

Finally, it's possible that I've misunderstood here because you've also said "The account will need access to..." which implies an IAM user logging into the AWS account. If that's the case then the same comments above hold true; but the policies need to be applied to the user who is logging in rather than the EC2 instance role.

profile picture
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions