Specify Individual Instance In Trust Policy Of IAM Role
0
The following trust policy is the default trust policy for an EC2 instance role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
]
}Is it possible to limit this trust policy to allow the role to only be attached to a specific instance? I know that it would be possible to only grant the IAM permissions to a user to pass this role to a specific instance but I would also like to limit the scope of this role to a specific instance at the same time.
1 Answers
0
I could not find a way to do this and this article confirms this, How to use trust policies with IAM roles:
Several customers have asked if it’s possible to design a trust policy for an IAM role such that it can only be passed to a specific Amazon EC2 instance. This isn’t directly possible. You cannot place the Amazon Resource Name (ARN) for an EC2 instance into the Principal of a trust policy, nor can you use tag-based condition statements in the trust policy to limit the ability for the role to be used by a specific resource.
The only option is to manage access to the iam:PassRole action within the permission policy for those IAM principals you expect to be attaching IAM roles to AWS resources. This special Action is evaluated when a principal tries to attach another IAM role to an AWS service or AWS resource.
Relevant questions
Dynamically assign an IAM Role between an IAM user and and EC2 instance
AWS-User-5348318-bsasked 2 months agoMy IAM role is not listed when trying to create a new EC2 instance
msutherland25asked 4 months agoHow to assign role for a group of users
Accepted AnswerJoann Babakasked a month agoHow can you restrict EC2 instances to assuming an IAM role based on the instance's tags?
derelkasked 4 months agoRole chaining problem
Accepted AnswerJoann Babakasked 24 days agoIAM role not clear for connecting API Gateway and DynamoDB
Accepted Answerjonbarkerasked 2 years agoMisleading AWS doc: can't create Policy for SAML's role
mahdi5asked 3 years agoSpecify Individual Instance In Trust Policy Of IAM Role
AWS-User-1977876asked 17 days agoHow to allow a role to attach role to an instance?
iamdifficultasked a year agoEFS File system policy with IAM Instance Profile collision
Accepted AnswerAWS Forumasked 4 months ago