AWS Amazon IAM user Policy to access ONLY one EC2 instance on EU-WEST-1 region

Tedi Çela picture Tedi Çela · Dec 19, 2013 · Viewed 17.5k times · Source

I have read the AWS documentation and it wasn't helpful... at least not for me. I have read about IAM and the user policy on the EC2.

I want to make users have full access/(or just some actions allowed) only on ONE ec2 instance.

The region I'm using is eu-west-1(Ireland). I made this policy:

{
  "Version": "2012-10-17",
  "Statement": [{ 
    "Effect": "Allow",
    "Action":   "ec2:*", 
    "Resource": "arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/INSTANCE_ID"
  }]
}

and when I login as the user, I see that I'm not authorized:

  • You are not authorized to describe Running Instances
  • You are not authorized to describe Elastic IPs
  • You are not authorized to describe Volumes
  • You are not authorized to describe Snapshots
  • You are not authorized to describe Key Pairs
  • You are not authorized to describe Load Balancers
  • You are not authorized to describe Placement Groups
  • You are not authorized to describe Security Groups

If I apply the following policy for the resource attribute:

"Resource": "arn:aws:ec2:*"

it's Ok but it's not what I need because users have access on all EC2 instances.

I want to know if this is a bug of AWS or there are problems with eu-west-1 region or this policy isn't supported already? Or maybe I'm wrong, if so, please help me how to do


Answer

Steffen Opel picture Steffen Opel · Dec 19, 2013

The recently introduced Resource-Level Permissions for EC2 and RDS Resources are not yet available for all API actions, but AWS is gradually adding more, see this note from Amazon Resource Names for Amazon EC2:

Important Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later. For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions.

You will find that all ec2:Describe* actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing.

See also Granting IAM Users Required Permissions for Amazon EC2 Resources for a concise summary of the above and details on the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources - this page also mentions that AWS will add support for additional actions, ARNs, and condition keys in 2014.

Possible Workaround/Alternative

Instead of or in addition to constraining access on the individual resource level, you might want to check into (also) using Conditions combined with Policy Variables, insofar ec2:Regionis one of the supported Condition Keys for Amazon EC2 - you might combine your policy with one that specifically handles Describe* actions, e.g. something like this (untested):

{
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:Region": "eu-west-1"
        }
      }
    }
  ]
}

Please note that this would still allow the user to see all instances in eu-west-1, even though your original policy fragment would prevent all API actions that already support resource level permissions (e.g instance creation/termination etc.).

I've outlined yet another possible approach in section Partial Workaround within my related answer to How to hide instances in EC2 based on tag - using IAM?.

Good Luck!