I have some aws ec2 instances and would like to show ONLY one instance for partners.
I created IAM user for the partner. following is my policy I created.
But when partner logins to aws and see ec2 instance view, following message displayed and no instance is displayed.
An error occurred fetching instance data: You are not authorized to
perform this operation.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Sid": "Stmt1373378552000",
"Resource": [
"arn:aws:ec2:ap-northeast-1:123456789012:instance/i-12345678"
],
"Effect": "Allow"
}
]
}
(123456789012 is (dummy)my Account Id and i-12345678 is a instance I like to show)
I also tried to specify by tag name like following, but does not work..
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "node-B"
}
},
Does anyone know how to show specific ec2 instance for partners??
This is not currently supported.
Only selected Amazon EC2 API actions currently support resource-level permissions:
Describe calls do not support resource-level permissions
Start/Stop/Terminate (and others) are supported
The AWS Management Console is using a DescribeInstances call, which cannot be restricted to a specific resource. Hence, the error you received.
See also:
Supported Resource-Level Permissions for Amazon EC2 API Actions
Related
I am trying to configure ip access restrictions to my public aurora serverless v2 cluster with IAM authentication (postgres).
After applying the policy below, I cannot connect to the cluster with the generated token.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds-db:connect"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"123.241.200.168/32"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:rds-db:eu-central-1:7777777836:dbuser:cluster-QQQIDWE6WQ/client01"
]
}
]
}
After switching the condition to "IpAddressIfExists" it allows me to connect from any address so I assume that there is no address available on connect. Is it possible to configure ip restrictions on the account level?
Unfortunately that action doesn't support any conditions (as listed on permissios.cloud), so you can't limit that API to IPs (and if the user is an administration, you can't limit it at all, as mentioned in the docs).
So it looks like the only way to achieve what I want is to:
create role with rds-db:connect permissions on postgres user
add trust policy with sts:AssumeRole limited to IP address
assign role to user
generate token from role assigned to user
Access to database is not limited to IP so if someone retrieve token from user then will be able to connect, but tokens are valid for 15 minutes by default so it fulfils my requiments.
Thank you #rowanu for answer it helped me a lot.
I'm trying to lock down a user to a specific VPC in AWS and following How to Help Lock Down a User’s Amazon EC2 Capabilities to a Single VPC | AWS Security Blog.
It is mentioned that we need to create an IAM role with name VPCLockDown of type AWS Service
and add the services for which the role needs access to. like ec2, lambda etc.
I was trying to create this role programatically using boto3.
I checked the create_role documentation for creating a role using boto3.
However, they haven't mentioned anything to specify the type of role and the services that I can specify that the role should have access to.
Is there any way to specify these items while creation of the IAM role using boto3
Edit1:
I tried creating a service_linked_role as per Sudarshan Rampuria's answer like
response = iam.create_service_linked_role(
AWSServiceName='ec2.amazonaws.com',
)
But getting the following error:
An error occurred (AccessDenied) when calling the
CreateServiceLinkedRole operation: Cannot find Service Linked Role
template for ec2.amazonaws.com
You can use create_service_linked_role() function boto3 to link a role to a service.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_service_linked_role
Here is a policy that allows a specific IAM User to launch an instance (RunInstances), but only in a given VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2RunInstancesVPC",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:ap-southeast-2:111111111111:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:ap-southeast-2:111111111111:vpc/vpc-abcd1234" <--- Change this
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-southeast-2:111111111111:instance/*",
"arn:aws:ec2:ap-southeast-2:111111111111:volume/*",
"arn:aws:ec2:ap-southeast-2::image/*",
"arn:aws:ec2:ap-southeast-2::snapshot/*",
"arn:aws:ec2:ap-southeast-2:111111111111:network-interface/*",
"arn:aws:ec2:ap-southeast-2:111111111111:key-pair/*",
"arn:aws:ec2:ap-southeast-2:111111111111:security-group/*"
]
}
]
}
You might need to change the Region. (I tested it in the Sydney region.)
For anyone trying to do this for Lambda, we get the similar error mentioned by the question author under "Edit". Lambda doesn't have a service linked role. You can see from the AWS Lambda documentation that "create-role" is used for creating lambda execution role.
You can also see here that only Lambda#Edge has service linked role.
One just needs to use use boto3 create-role with a policy document
response = iam_client.create_role(
RoleName="some-role-name",
AssumeRolePolicyDocument='{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}',
Description='Lambda role'
)
I've created a Service Catalog portfolio and product intending to allow users to launch their own quality assurance environments. I have given a selection of users the AWS Managed Policy "ServiceCatalogEndUserFullAccess" (below) so they can launch products, however they seem to also require individual permissions for the resources created by the template (in this case, just an EC2 and ELB).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"catalog-user:*",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplateSummary",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"cloudformation:UpdateStack",
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ListLaunchPaths",
"servicecatalog:ProvisionProduct",
"servicecatalog:SearchProducts",
"s3:GetObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"servicecatalog:DescribeRecord",
"servicecatalog:ListRecordHistory",
"servicecatalog:ScanProvisionedProducts",
"servicecatalog:TerminateProvisionedProduct",
"servicecatalog:UpdateProvisionedProduct"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"servicecatalog:userLevel": "self"
}
}
}
]
}
As such, the template fails in CloudFormation and rolls back with an error like the following:
API:ec2:runInstances - You are not authorized to perform this operation.
Ideally I'd like to restrict the user's ability to launch an EC2 either from Service Catalog only, or perhaps more specifically our staging VPC, but neither seems possible from what I've read currently. Is there any way to grant this level of granular permission such that the user can only launch the resources in the particular Service Catalog product they've chosen?
Your policy has granted users permission to use Service Catalog, but that is not sufficient to permit them to launch the actual resources.
There are two ways to grant permission to launch resources (eg Amazon EC2):
Grant permissions to the IAM Users themselves, or
Assign a Launch Role to the Launch Constraint for the product
From Applying a Launch Constraint documentation:
Without a launch constraint, end users must launch and manage products with their own IAM credentials. To do so, they must have permissions for AWS CloudFormation, the AWS services used by the products, and AWS Service Catalog. By using a launch role, you can instead limit the end users' permissions to the minimum that they require.
Therefore, create a Launch Role with the necessary permissions to Launch an EC2 instance but only grant the users the minimum necessary permissions to launch the product from Service Catalog.
The AWS EC2 Dashboard allows users to view/change the userdata for any given EC2 instance via
Actions -> Instance Settings -> View/Change User Data"
Is there an AWS IAM action that can restrict this feature from users of the Console?
Amazon EC2 User Data is retrieved via the DescribeInstanceAttribute API call. You can create a policy to DENY such permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NoAttributes",
"Effect": "Deny",
"Action": [
"ec2:DescribeInstanceAttribute"
],
"Resource": [
"*"
]
}
]
}
However, there is a risk that denying this permission might have some unintended side-effects because it will also block access to other attributes, too. So, make sure you test it.
It's also worth pointing out that User Data is only executed the first time the instance boots ("once per instance-id"). So, even if users have the ability to edit the User Data, it won't actually be executed after the first boot.
Here is what i want. I have a IAM user for whom i want to give read only access to a us-east-1 and that too only read metrics for particular ec2 instance. I have 3 instances runnning in us-east-1 but i want this user to have access to metrics of only 1 ec2 server.
I have written policy like below. which is giving access to all the metrics in all the region. I tried putting that instanceid in below code but it didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
I dont understand what i am missing here.
In short, this is not possible, according to the Cloudwatch docs:
You can't use IAM to control access to CloudWatch data for specific
resources. For example, you can't give a user access to CloudWatch
data for only a specific set of instances or a specific LoadBalancer.
Permissions granted using IAM cover all the cloud resources you use
with CloudWatch.
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html