Requirement: To restrict IAM user from creating VPC with dedicated tenancy. IAM user should only be able to create VPC with default tenancy.
IAM Policy Attached to IAM User:
{
"Sid": "limitedTenancyVpc",
"Effect": "Deny",
"Action": "ec2:CreateVpc",
"Resource": "arn:aws:ec2:*:*:vpc/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:Tenancy": [
"default"
]
}
}
}
I know that for VPC InstanceTenancy is keyword to be used. I tried with it in condition, however it's not working. IAM user with this policy attached is able to create VPC with dedicated tenancy.
Please suggest.
It is not possible to restrict this as there is no condition associated with ec2:CreateVPC action. See the list of available EC2 conditions keys.
However, ec2:tenancy condition is available for ec2:runInstances. So you can instead deny requests to launch instances with dedicated tenancy as a guardrail.
There are 3 different tenancy types: default, dedicated and host. Deny requests if tenancy is set to either host or dedicated.
{
"Sid": "limitedTenancyVpc",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:Tenancy": [
"host",
"dedicated"
]
}
}
}
Related
I have general EC2 iam role that I use to join to a domain every new windows EC2 instance that is spun up. One of those instances need to have ability to read SQS, and only that instance! I created VPC endpoint for SQS and now I am trying to limit access over condition aws:SourceArn where that is ARN of the EC2 instance or over aws:SourceIp with IP value of private IP of the instance (tried public too, didn't work.
Here is how my SQS access policy looks like.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sqspolicySailpointDevDocument",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123123123123:role/apigateway_sqs"
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-west-2:123123123123:SailpointSqsDev"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123123123123:role/terraform-AWS-EC2-Domain-Join"
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-west-2:123123123123:SailpointSqsDev",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:ec2:us-west-2:123123123123:instance/i-075b02dfsdfdf435"
}
}
}
]
}
Second example for condition
"Condition":{
"IpAddress":{
"aws:SourceIp":"10.2.32.34"
}
}
Third example - this one can't pass validation even though it's from Global key context.
InvalidParameterValue: Value aws:VpcSourceIp for parameter Condition is invalid. Reason: Conditions must be from Global context key list https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html.
"Condition": {
"IpAddress": {
"aws:VpcSourceIp": "10.2.0.0/16"
}
}
ec2:SourceInstanceARN I can't use because policy allows only Global condition keys.
Worst case scenario, VPC Endpoint has security group and I could limit access from there but it's not nearly ideal solution...
VpcSourceIp is not available for SQS so in order to achieve what I want, one would need vpce (vpc endpoint) for SQS in VPC and then limit access in security group of vpce.
We have a few users which basically have access to everything using the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Is there a way to restrict access to selected VPCs?
I have tried creating the following policy and attach it to the user (via a group):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504660000000",
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>"
]
}
]
}
I have replaced <REGION> <ACCOUNT-ID> and <VPC-ID>".
The policy simulator denies access (StartInstances, StopInstances, etc.) correctly. Nevertheless a user with this policy attached can still create EC2 instances within the vpc.
Why does my policy not deny access to the VPC? As far as I know "Deny" overwrites "Allow".
What is the correct way of achieving this? I have read through this and this but don't understand how it would restrict access.
It's a tricky one. You have to refer and include all actions including recources which supports the ec2:Vpc condition and deny the API actions. For other actions, you have to find conditions which are common in API actions and include those actions in separate statement blocks and deny those by other means e.g. using tags or something else.
Also, as the users have AdministratorAccess, you have to make sure that the user's cannot detach this Deny policy and escalate the privilege.
For other service which uses VPC e.g. RDS, it is not possible.
[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
Here, you don`t want to give the permission to ec2 inside one VPC. So, you should consider vpc as a condition and resource as ec2.
Look at the code below -
{
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:region:account:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
}
}
}
Explanation - Here we are denying the permissions to ec2 which are under a specific vpc. Here I have added subnet in ec2, it is optional. You may add if required.
I am trying to enable access to EC2 for our vendor . So, what I did : I add tag "Vendor" for dedicated EC2 instances .
Then , I add policy below ..
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Vendor": "Takamol"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
Nevertheless , the user (who belongs to group that attaches) cannot see any EC2 instance even the policy condition restricts by tag "Vendor" (as you notice) .
How can allow user to manage only EC2 instances which has tag : Vendor = Takamol
What you're trying to achieve isn't possible. This is because of a concept called "Resource Level Permissions". Actions that support Resource level permissions allow you to use IAM to allow/deny a user the ability to perform an action on some subset of the resources in question, e.g. EC2 instances with a particular tag, S3 buckets, VPCs etc. Actions that don't support Resource Level Permissions can only be allowed/denied for ALL resources, and can only be allowed to a user in a statement where the resource is * and where there are no conditions.
Unfortunately for you, not all EC2 Actions support Resource Level Permissions. The reason that your user can't see any EC2 instances with the above IAM policy is that the ec2:Describe* API calls (used in the console to list all the instances in the account) do NOT support resource level permissions.
So even though ec2:Describe* falls under ec2:* which you allow for tagged instances in the first statement in the policy, ec2:Describe* with a condition evaluates to DENY all ec2:Describe*.
What people usually end up doing is allowing the vendor access to see all instances in the account and then only allow them the additional permissions they need for a particular set of instances. See the policy below, it will allow the user to see all instances but only start, stop and reboot instances with the required tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSeeEverything",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": [
"*"
]
},
{
"Sid": "ThingsIAllowThemToDoForTaggedEc2s",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Vendor": "Takamol"
}
},
"Resource": [
"*"
]
}
]
}
The list of what EC2 API calls support resource level permissions along with what conditions are supported is documented in Supported Resource-Level Permissions for Amazon EC2 API Actions. I also recommend reading the Demystifying EC2 Resource-Level Permissions
blog post.
I want to be able to apply tags only to instances running in EC2 on a particular VPC (vpc-11111111).
I tried to use the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2TagNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags"
],
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:<myRegion>:<myCustomerId>:vpc/vpc-11111111"
}
},
"Resource": "*"
}
]
}
but the user with this policy cannot modify the tags unless I remove the condition.
What have I done wrong?
Tags do not support conditions, according to Amazon docs and support.
This is a long standing feature request for several years!
Normally, if given some particular AWS user rights, the Tag rights is inside the policies.
Mistake in your new policies will overwrite those default access. You should try it out using AWS policy simulator.
Try add a principal and try it out.
"Principal": {
"AWS": "arn:aws:iam::<myCustomerId>:user/*"
}
I have created a VPC with the bare minimum of information: the VPC name, CIDR block, and default tenancy type. I then created a policy to administer the VPC and added it to a newly created user. My plan was to then log in as that user and complete the VPC setup, including subnets, EC2 instances, RDS, routing, etc.
The problem is that when I log in the user has no authority at all. They are not authorised for any EC2 or VPC services. I can not even see the VPC that I have created. Presumably there is something wrong with my policy. Here it is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:ap-southeast-2:999999999999:vpc/vpc-99999999"
}
]
}
(Obviously that's not the real account number or VPC ID.)
Do I just need an additional permission to the IAM service? If so, what is it? Or is it more complex than that?
It's not clear what permissions you exactly wish to provide. However, the following will give you a large amount of access, localized to the specific VPC you wish to administer.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
}
}
}
]
}
(Update region, account, and vpc id in the above)