Home / server / Questions / 620533
In Process
fields
Asked: 2014-08-15 12:29:35 +0800 CST

How can I use IAM pollicies to restrict a user to only launch instances with a specific set of AMIs?

  • 772

I have the AMIs I want to allow tagged with the "type" tag.

Here's the policy I tried:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/type": "permitted_amis"
        }
      },
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:CreateTags"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

When I tried to launch an instance from one of those AMIs, I got permission denied.

amazon-ec2

1 Answers

  1. The problem is that you don't have ec2:RunInstances permissions any more, because you added that permission together with the condition, so it overrides - it will look for an EC2 instance with that tag; seeing that you have only "ec2:DescribeInstances" on Resource:["*"];

    Add two separate statements, and specify the exact resources for each:

    • one for the AMI with Resource:["arn:aws:ec2:region::image/ami-*"]
    • one for ec2:RunInstances with Resource:["arn:aws:ec2:region:account:instance/*"]

    Example: (taken from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#ex5)

    The following policy allows users to launch instances using only the AMIs that have the specified tag, "department=dev", associated with them. The users can't launch instances using other AMIs because the Condition element of the first statement requires that users specify an AMI that has this tag. The users also can't launch into a subnet, as the policy does not grant permissions for the subnet and network interface resources. They can, however, launch into EC2-Classic. The second statement uses a wildcard to enable users to create instance resources, and requires users to specify the key pair project_keypair and the security group sg-1a2b3c4d. Users are still able to launch instances without a key pair.

    {
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
         "arn:aws:ec2:region::image/ami-*"
      ],
      "Condition": {
         "StringEquals": {
            "ec2:ResourceTag/department": "dev"
         }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
          "arn:aws:ec2:region:account:instance/*",
          "arn:aws:ec2:region:account:volume/*",
          "arn:aws:ec2:region:account:key-pair/project_keypair",
          "arn:aws:ec2:region:account:security-group/sg-1a2b3c4d"
         ]
      }
   ]
}
    • 3