We are struggling to create an IAM policy that permits all EC2 actions EXCEPT RunInstances. This is to prevent an API key compromise from launching unauthorized instances. We tried it both with and without the EC2 allow * because I'm not clear if NotAction implies all actions.
With the NotAction in place I cannot provision EBS volumes (below). Do we need to converge the EC2 allow * and Notaction Runinstances into the same policy section?
EC2 All permissions:
"Action": "ec2:", "Effect": "Allow", "Resource": "",
and then a second policy that denies RunInstances (from previous IAM policy answer on similar topic
{ "Statement": [ { "NotAction": [ "ec2:RunInstances*" ], "Effect": "Deny", "Resource": "*" } ] }
ec2-54-196-184-11.compute-1.amazonaws.com * aws_ebs_volume[ip-10-140-10-132.volume15] action create
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] WARN: ##### RightAws::Ec2 returned an error: 403 Forbidden
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com UnauthorizedOperationYou are not authorized to perform this operation.fcd71112-db50-4102-9855-a46749574de9 #####
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] WARN: ##### RightAws::Ec2 request: https://us-east-1.ec2.amazonaws.com:443/?AWSAccessKeyId=XXXXXXXXXXXXXXXXXXX&Action=DescribeVolumes&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2014-06-26T18%3A17%3A53.000Z&Version=2012-06-15&Signature=cRMAxfs3RP0R9rlQeb7JU9zYeey8L3CWQI2Pkj2o3V0%3D ####
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com ================================================================================
ec2-54-196-184-11.compute-1.amazonaws.com Error executing action create on resource 'aws_ebs_volume[ip-10-140-10-132.volume15]'
ec2-54-196-184-11.compute-1.amazonaws.com ================================================================================
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com RightAws::AwsError
ec2-54-196-184-11.compute-1.amazonaws.com ------------------
ec2-54-196-184-11.compute-1.amazonaws.com UnauthorizedOperation: You are not authorized to perform this operation.
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com Cookbook Trace:
ec2-54-196-184-11.compute-1.amazonaws.com ---------------
ec2-54-196-184-11.compute-1.amazonaws.com /var/chef/cache/cookbooks/aws/providers/ebs_volume.rb:138:in `currently_attached_volume'
ec2-54-196-184-11.compute-1.amazonaws.com /var/chef/cache/cookbooks/aws/providers/ebs_volume.rb:26:in `block in class_from_file'
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com Resource Declaration:
ec2-54-196-184-11.compute-1.amazonaws.com ---------------------
ec2-54-196-184-11.compute-1.amazonaws.com # In /var/chef/cache/cookbooks/cook_aws/recipes/ebs.rb
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com 26: aws_ebs_volume node['w2o']['ebs']['volume_name'] do
ec2-54-196-184-11.compute-1.amazonaws.com 27: action [:create, :attach]
ec2-54-196-184-11.compute-1.amazonaws.com 28: aws_access_key node['aws']['access_key_id']
ec2-54-196-184-11.compute-1.amazonaws.com 29: aws_secret_access_key node['aws']['secret_access_key']
ec2-54-196-184-11.compute-1.amazonaws.com 30: device node['w2o']['ebs']['ebs_device']
ec2-54-196-184-11.compute-1.amazonaws.com 31: size node['w2o']['ebs']['ebs_mount_size']
ec2-54-196-184-11.compute-1.amazonaws.com 32:
ec2-54-196-184-11.compute-1.amazonaws.com 33: # specify piops if present in node attr
ec2-54-196-184-11.compute-1.amazonaws.com 34: if node['w2o']['ebs']['ebs_piops'] > 0
ec2-54-196-184-11.compute-1.amazonaws.com 35: piops node['w2o']['ebs']['ebs_piops']
ec2-54-196-184-11.compute-1.amazonaws.com 36: volume_type 'io1'
ec2-54-196-184-11.compute-1.amazonaws.com 37: end
ec2-54-196-184-11.compute-1.amazonaws.com 38:
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com Compiled Resource:
ec2-54-196-184-11.compute-1.amazonaws.com ------------------
ec2-54-196-184-11.compute-1.amazonaws.com # Declared in /var/chef/cache/cookbooks/cook_aws/recipes/ebs.rb:26:in `from_file'
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com aws_ebs_volume("ip-10-140-10-132.volume15") do
ec2-54-196-184-11.compute-1.amazonaws.com action [:create, :attach]
ec2-54-196-184-11.compute-1.amazonaws.com retries 0
ec2-54-196-184-11.compute-1.amazonaws.com retry_delay 2
ec2-54-196-184-11.compute-1.amazonaws.com cookbook_name "cook_aws"
ec2-54-196-184-11.compute-1.amazonaws.com recipe_name "ebs"
ec2-54-196-184-11.compute-1.amazonaws.com aws_access_key "XXXXXXXXXXXXXXXXXXXXX"
ec2-54-196-184-11.compute-1.amazonaws.com aws_secret_access_key "XXXXXXXXXXXXXXXXXXXXX"
ec2-54-196-184-11.compute-1.amazonaws.com device "/dev/xvdf"
ec2-54-196-184-11.compute-1.amazonaws.com size 50
ec2-54-196-184-11.compute-1.amazonaws.com end
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] ERROR: Running exception handlers
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] ERROR: Exception handlers complete
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out ec2-54-196-184-11.compute-1.amazonaws.com Chef Client failed. 2 resources updated
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:54+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Spent an hour with a trial account and the IAM simulator to get:
}
Posting in case this is useful to someone, you can put whatever actions you want under NotAction