Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Writing IAM Policy to ModifyInstanceAttribute - DeleteOnTermination

0

Dear Experts,

I am executing below command from my ec2 instance. (instance id changed on purpose)

aws ec2 modify-instance-attribute --instance-id i-12345 --block-device-mappings "[{"DeviceName": "/dev/sda1","Ebs":{"DeleteOnTermination":false}}]"

I configured following below policy but its still giving me unauthorized error.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:ModifyInstanceAttribute", "Resource": "arn:aws:ec2::111111111:instance/", "Condition": { "StringEquals": { "ec2:Attribute": "BlockDeviceMapping" } } } ] }

In above, i changed BlockDeviceMapping to DeleteOnTermination, but it didnt work. Can someone tell me how to write the policy?

Topics
ComputeSecurity, Identity, & Compliance
Tags
Amazon EC2IAM Policies
Language
English
asked 3 years ago728 views
1 Answer
0

I havent tried this before, however in the documentation the Case is different than your policy..

Try blockDeviceMapping

Your Instance policy may need to have instance/* for any Instance unless you remove that due to being sensitive

EXPERT
answered 3 years ago
  • rePost-User-8038916
    3 years ago

    this is my policy now, it still doesnt work

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:ModifyInstanceAttribute", "Resource": "*", "Condition": { "StringEquals": { "ec2:Attribute": "blockDeviceMapping" } } } ] }

  • Riku_Kobayashi EXPERT
    3 years ago

    What about "BlockDeviceMappings"? Is there any chance that your policy will not work because it is not in the plural?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content