It looks like Amazon has a ready-built IAM role to grant instances CloudWatch write access. ( A more restrictive one could also be created if necessary)
But it appears you cannot attach an IAM role to a running instance.
Am I missing something? Do I really have to re-instantiate my whole fleet to enable CloudWatch? I'm reluctant to save plaintext credentials on each host for security reasons.
I assume you're talking about custom CloudWatch metrics. You don't have to restart any instances to enable them. You can create a group in IAM with the following policy and add a user to this group:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "****************",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": [
"*"
]
}
]
}
Then you basically copy this user's credentials to awscred file and add the perl script to cron. Yes, I had to copy credentials to each machine where custom metrics collection is enabled.
Have you considered simply modifying the existing IAM role to enable writes to CloudWatch? That change should take effect immediately and does not require instance reboot or relaunch.
Related
I am learning AWS and I have the following task in an online training course:
Configure the MongoDB VM as highly privileged – configure an instance
profile to the VM and add the permission “ec2:*” as a custom policy.
I am trying to work out what that means. Is the task asking for a role that enables the VM instance to have full control over all EC2 resources?
If I understand it correctly, then I think the following policy would implement it.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance"
}
]
}
My understanding is that this policy is saying any EC2 instance can perform any EC2 action. Is that right?
I would say you are almost correct. Roles are attached to individual services which means your particular VM can perform any Ec2 action on this resource arn:aws:ec2:*:*:instance.
There is a difference in saying any ec2 can perform ec2 action instead that ec2 instance can perform any ec2 action to which this role is attached.
I have a IAM role dedicated for EC2, but I would like to restrict use of this role to only certain services eg. Service Catalog. I can't do it on autoscaling level - it uses service linked role which is impossible to edit. I believe that I can somehow block that access on trusted relationship policy level on the target role. I have tried many things but nothing works for me. I think the main problem is that this role is not directly used by autoscaling, but this is a process chain which starts from autoscaling and ends on ec2. Role is no strictly used by the service but is passed through instance profile.
Any suggestions how to approach this topic ?
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123344566:root"
],
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": "????"
}
}
}
]
}
BG
Seba
It appears that your requirement is:
You have a privileged IAM Role (let's call it Admin Role)
You want to allow non-Admins to create Amazon EC2 Auto Scaling groups
You do not want them to be able to attach the Admin Role to the Auto Scaling group because they could login to the resulting instances and gain privileged access
I think that you will need to control the ability to create Launch Templates and Launch Configurations:
Creating a Launch Template requires the ec2:CreateLaunchTemplate permission
Creating a Launch Configuration requires the autoscaling:createLaunchConfiguration permission
If users are not allowed to create these templates, then they cannot select a role. They would need to use an existing template to launch the Auto Scaling group.
I am using aws ecs-cli up command and want to restrict the role/group of the caller to the least privilege by using specific permissions.
Is there a flag or way to test run a cli command to validate if all required permissions are availabale to the caller, rather than say iam:*?
Additionally, is there a way to limit the permissions to partial wild-card resource, for example, below I have set * not knowing the full name in advance, so could I add myecs-* for example, that would restrict the resource to some degree?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1555577550000",
"Effect": "Allow",
"Action": [
"iam:CreateRole"
],
"Resource": [
"*"
]
}
]
}
To validate, if all required permissions are available to IAM users, groups or roles in your AWS account. Following are some of the options;
Use Web-GUI based policy simulator from AWS.
Use simulate-principal-policy aws cli command i.e. aws iam simulate-principal-policy. Furthermore, if you would like to cover custom-policy use aws cli command i.e. aws iam simulate-custom-policy .
Use python based aws-iam-tester command.
You can use wild-card within your IAM policy statements for Resource or a NotResource. Please refer following reference about same;
IAM JSON policy elements - Resource.
This existing thread.
The AWS EC2 Dashboard allows users to view/change the userdata for any given EC2 instance via
Actions -> Instance Settings -> View/Change User Data"
Is there an AWS IAM action that can restrict this feature from users of the Console?
Amazon EC2 User Data is retrieved via the DescribeInstanceAttribute API call. You can create a policy to DENY such permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NoAttributes",
"Effect": "Deny",
"Action": [
"ec2:DescribeInstanceAttribute"
],
"Resource": [
"*"
]
}
]
}
However, there is a risk that denying this permission might have some unintended side-effects because it will also block access to other attributes, too. So, make sure you test it.
It's also worth pointing out that User Data is only executed the first time the instance boots ("once per instance-id"). So, even if users have the ability to edit the User Data, it won't actually be executed after the first boot.
Here is what i want. I have a IAM user for whom i want to give read only access to a us-east-1 and that too only read metrics for particular ec2 instance. I have 3 instances runnning in us-east-1 but i want this user to have access to metrics of only 1 ec2 server.
I have written policy like below. which is giving access to all the metrics in all the region. I tried putting that instanceid in below code but it didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
I dont understand what i am missing here.
In short, this is not possible, according to the Cloudwatch docs:
You can't use IAM to control access to CloudWatch data for specific
resources. For example, you can't give a user access to CloudWatch
data for only a specific set of instances or a specific LoadBalancer.
Permissions granted using IAM cover all the cloud resources you use
with CloudWatch.
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html