By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Providing Access to a single EC2 Instance

0

I am working on the IAM Identity Center to provide access for a user to a single EC2 instance. I have manages to setup the policies in IAM and setup the permission sets and assigned to users/accounts. The ec2 instance is already tagged.

However, when I modify the policy to have a condition of StringEquals ec2:ResourceTag or aws:ResourceTag of whatever key/ string combination, the user loses access to the instance.

The Ec2 instances console list show a "ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action" error whenever stringequals is used, if that helps. Additionally, StringNotEquals gives the user access again.

Policy JSON as follows: "StringEquals": { "ec2:ResourceTag/Project": "Projname" }

EC2 instance has been tagged with key Project, string Projname.

Trying aws:ResourceTag/Name = "instance.name" (as copy pasted from the console instance tag tab) does not work either.

Any ideas how to solve this?

Topics
Security, Identity, & ComplianceCompute
Tags
AWS Identity and Access ManagementAmazon EC2AWS IAM Identity CenterIAM Policies
Language
English
Hannibal
asked 14 days ago47 views
4 Answers
1

Hello.

Despite the documentation below, the "ec2:Describe*" API actions do not support resource-level permissions, so you cannot control the individual resources that users can see in the console.
In other words, you can only set it to either "Show all EC2 instances" or "Do not show all."
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html#ex-read-only

The Amazon EC2 ec2:Describe* API actions do not support resource-level permissions, so you cannot control which individual resources users can view in the console. Therefore, the * wildcard is necessary in the Resource element of the above statement. For more information about which ARNs you can use with which Amazon EC2 API actions, see Actions, resources, and condition keys for Amazon EC2.

By the way, the condition keys that can be set are described in the following document.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

profile picture
EXPERT
Riku_Kobayashi
answered 14 days ago
profile picture
EXPERT
Steve_M
reviewed 14 days ago
  • Riku_Kobayashi EXPERT
    14 days ago

    Unfortunately, it is not possible to restrict visibility via the management console. You cannot restrict the display, but there are some actions that can be controlled on a tag-based basis, as shown below, so it is a good idea to look at the documentation and narrow down the actions you need.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": [
                "arn:aws:ec2:ap-northeast-1:111111222222:instance/*"
            ],
            "Condition": {
                "StringEqualsIfExists": {
                    "ec2:ResourceTag/Owner": "HOGE"
                }
            }
        }
    ]
}
1

So there is there another way to allow a user access/control to only specific ec2 instances?

You can extend the policy provided by @Riku_Kobayashi to define only the instances that can be started & stopped:

"Effect": "Allow",
"Action": [
    "ec2:StartInstances",
    "ec2:StopInstances"
],
"Resource": [
    "arn:aws:ec2:ap-northeast-1:111111222222:instance/i-0123456789abcdef"
]

In terms of connecting to an instance, you can't use IAM to limit which users can SSH onto an instance on port 22.

You can control which IAM users can access through Session Manager by adding something like this to the policy https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html#ssh-connections-permissions

"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [
    "arn:aws:ec2:ap-northeast-1:111111222222:instance/i-0123456789abcdef",
    "arn:aws:ssm:ap-northeast-1:111111222222:document/AWS-StartSSHSession"
]
profile picture
EXPERT
Steve_M
answered 14 days ago
0

Thanks for the speedy reply. So there is there another way to allow a user access/control to only specific ec2 instances?

Hannibal
answered 14 days ago
0

Got, it. Thanks for the responses everyone!

So it seems tagging really isn't the way to go about this. We looked and the things we can do via tagging in EC2 seems to be quite limited. We'll probably have to redo how we deploy instances and have a different IAM user deploy every instance instead

Hannibal
answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content