I have created a VPC with the bare minimum of information: the VPC name, CIDR block, and default tenancy type. I then created a policy to administer the VPC and added it to a newly created user. My plan was to then log in as that user and complete the VPC setup, including subnets, EC2 instances, RDS, routing, etc.
The problem is that when I log in the user has no authority at all. They are not authorised for any EC2 or VPC services. I can not even see the VPC that I have created. Presumably there is something wrong with my policy. Here it is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:ap-southeast-2:999999999999:vpc/vpc-99999999"
}
]
}
(Obviously that's not the real account number or VPC ID.)
Do I just need an additional permission to the IAM service? If so, what is it? Or is it more complex than that?
It's not clear what permissions you exactly wish to provide. However, the following will give you a large amount of access, localized to the specific VPC you wish to administer.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
}
}
}
]
}
(Update region, account, and vpc id in the above)
Related
I want to create and attach a SCP to the AWS Organization root or an OU to allow the sharing of subnets between accounts only if the the share receiver principal (e.g., an AWS account) and the subnet being shared have the matching tags (e.g., env:prod). Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowResourceSharingWithMatchingTags",
"Effect": "Allow",
"Action": "ram:ShareResource",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:PrincipalTag/env": "${aws:ResourceTag/env}"
},
}
}
]
}
I cannot test the validity of the above policy because I don't have the proper setup and permissions. Has anybody tried to achieve something similar using SCP?
I am planning to implement AssumeRole scenario so below is scenario
user will have ability to create/stop Ec2 instances but not terminate.
To terminate he has to assume role (role to be assumed Ec2FullAccess)
I have done the following
Create a user Test1 with permission to start/stop/launch Ec2 instance and have provided permission to assume role (EC2FullAccess) below is the Policy for user
{
"Version": "2012-10-17",
"Statement": [<br>
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:TerminateInstances",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::226904037275:role/EC2FullAccess"
}
]
}
Create a role in same account with name EC2FullAccess which would give permission to terminate Ec2 instance
Ec2FullAccess uses AmazonEC2FullAccess Permission Policy below is its Trust Policy
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Now when i login as IAM user Test1 and then click on switch role ,i provide below details
Account: 1234
Role: EC2FullAccess
When i click on Switch Role i get Below error
Invalid information in one or more fields. Check your information or contact your administrator.
What is that I am missing
You can create the Role this way:
Create Role
For Type of Trusted Entity, select Another AWS Account and enter the Account ID for the same account (it is displayed in the same menu as the 'Switch Role' command) -- This might seem odd, but it creates the correct principal in the Trust Policy.
Attach desired policies and Save
Then, use Switch Role.
By the way, assigning EC2FullAccess is probably overkill -- it gives permission to do anything in EC2, including deleting VPCs, deleting Amazon EBS volumes, changing network settings, etc. I suggest you create a specific policy that grants TerminateInstances permission, and possibly even reduce that down to specific instances (eg by tag or VPC).
Requirement: To restrict IAM user from creating VPC with dedicated tenancy. IAM user should only be able to create VPC with default tenancy.
IAM Policy Attached to IAM User:
{
"Sid": "limitedTenancyVpc",
"Effect": "Deny",
"Action": "ec2:CreateVpc",
"Resource": "arn:aws:ec2:*:*:vpc/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:Tenancy": [
"default"
]
}
}
}
I know that for VPC InstanceTenancy is keyword to be used. I tried with it in condition, however it's not working. IAM user with this policy attached is able to create VPC with dedicated tenancy.
Please suggest.
It is not possible to restrict this as there is no condition associated with ec2:CreateVPC action. See the list of available EC2 conditions keys.
However, ec2:tenancy condition is available for ec2:runInstances. So you can instead deny requests to launch instances with dedicated tenancy as a guardrail.
There are 3 different tenancy types: default, dedicated and host. Deny requests if tenancy is set to either host or dedicated.
{
"Sid": "limitedTenancyVpc",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:Tenancy": [
"host",
"dedicated"
]
}
}
}
I have an internet Elastic Search endpoint. I wanted to access it only within my 2 VPC's, to be specific from my EC2 instances only. Here is the policy i am trying with my VPC CIDR block IP's, but i am unable to access the endpoint from my EC2 instances. My EC2 instances are in private subnets , accessing internet through NAT Gateway. Here is my access policy which is not working
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:1XXXXXXXXXXX:domain/my-elasticsearch/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"xx.xx.xx.xx/24",
"xx.xx.xx.xx/24"
]
}
}
}
]
}
I have also tried something like this to allow access from only my EC2 instances assigned IAM role, that didnt work either
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXX:role/MyEC2Role"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-east-1:XXXXXXXXXXX:domain/my-elasticsearch/*"
}
]
}
What am i doing wrong ? Or is there a better way to restrict access ?
Since you have a public AWS Elasticsearch cluster, allowing your EC2 instance from a private subnet having private IP's wont work.
Try adding the public IP of the NAT in the Access policy of your AWS ES cluster and see if that works.
Also if you are having IAM based access polices, make sure all the requests to AWS ES are signed as mentioned here: https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-an-easy-way-to-send-aws-sigv4-signed-requests/
We have a few users which basically have access to everything using the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Is there a way to restrict access to selected VPCs?
I have tried creating the following policy and attach it to the user (via a group):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504660000000",
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>"
]
}
]
}
I have replaced <REGION> <ACCOUNT-ID> and <VPC-ID>".
The policy simulator denies access (StartInstances, StopInstances, etc.) correctly. Nevertheless a user with this policy attached can still create EC2 instances within the vpc.
Why does my policy not deny access to the VPC? As far as I know "Deny" overwrites "Allow".
What is the correct way of achieving this? I have read through this and this but don't understand how it would restrict access.
It's a tricky one. You have to refer and include all actions including recources which supports the ec2:Vpc condition and deny the API actions. For other actions, you have to find conditions which are common in API actions and include those actions in separate statement blocks and deny those by other means e.g. using tags or something else.
Also, as the users have AdministratorAccess, you have to make sure that the user's cannot detach this Deny policy and escalate the privilege.
For other service which uses VPC e.g. RDS, it is not possible.
[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
Here, you don`t want to give the permission to ec2 inside one VPC. So, you should consider vpc as a condition and resource as ec2.
Look at the code below -
{
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:region:account:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
}
}
}
Explanation - Here we are denying the permissions to ec2 which are under a specific vpc. Here I have added subnet in ec2, it is optional. You may add if required.