How do I create an IAM policy to explicitly grant permissions to create and manage EC2 instances in a specified VPC that has tags?

4 minute read

I want to create an AWS Identity and Access Management (IAM) policy that explicitly grants permissions to IAM identities to manage Amazon Elastic Compute Cloud (Amazon EC2) instances in a virtual private cloud (VPC).

Short description

The IAM policy must limit the IAM identity's permissions to manage the instances in the VPC that has tags.

Amazon EC2 provides partial resource-level permissions, but there are several service-level actions, resources, and conditions that you can use. To control access to EC2 resources, use resource tags.

Resolution

Create a policy that grants permissions to launch the instances in the VPC but restricts the IAM identity's permissions to manage the instances. To restrict the management of instances, use the ec2:ResourceTag policy condition.

Create a managed policy to attach to the IAM identities that launch your instances

Complete the following steps:

Open the IAM console, choose Policies, and then choose Create Policy.

Choose the JSON tab, and then enter the following custom policy:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GrantIAMPassRoleOnlyForEC2",
      "Action": [
        "iam:PassRole"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME",
        "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME"
      ],
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "ec2.amazonaws.com"
        }
      }
    },
    {
      "Sid": "ReadOnlyEC2WithNonResource",
      "Action": [
        "ec2:Describe*",
        "iam:ListInstanceProfiles"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "ModifyingEC2WithNonResource",
      "Action": [
        "ec2:CreateKeyPair",
        "ec2:CreateSecurityGroup"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "RunInstancesWithTagRestrictions",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
        "arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/TAG-KEY": "TAG-VALUE"
        }
      }
    },
    {
      "Sid": "RemainingRunInstancePermissionsNonResource",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:REGION::image/*",
        "arn:aws:ec2:REGION::snapshot/*",
        "arn:aws:ec2:REGION:ACCOUNTNUMBER*:network-interface/*",
        "arn:aws:ec2:REGION:ACCOUNTNUMBER*:key-pair/*",
        "arn:aws:ec2:REGION:ACCOUNTNUMBER*:security-group/*"
      ]
    },
    {
      "Sid": "EC2RunInstancesVpcSubnet",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:subnet/*",
      "Condition": {
        "StringEquals": {
          "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
        }
      }
    },
    {
      "Sid": "EC2VpcNonResourceSpecificActions",
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteNetworkAcl",
        "ec2:DeleteNetworkAclEntry",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:DeleteSecurityGroup",
        "ec2:CreateNetworkInterfacePermission",
        "ec2:CreateRoute",
        "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
        "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
        }
      }
    },
    {
      "Sid": "AllowInstanceActionsTagBased",
      "Effect": "Allow",
      "Action": [
        "ec2:RebootInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "ec2:StartInstances",
        "ec2:AttachVolume",
        "ec2:DetachVolume",
        "ec2:AssociateIamInstanceProfile",
        "ec2:DisassociateIamInstanceProfile",
        "ec2:GetConsoleScreenshot",
        "ec2:ReplaceIamInstanceProfileAssociation"
      ],
      "Resource": [
        "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
        "arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/TAG-KEY": "TAG-VALUE"
        }
      }
    },
    {
      "Sid": "AllowCreateTagsOnlyLaunching",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags"
      ],
      "Resource": [
        "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
        "arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": "RunInstances"
        }
      }
    }
  ]
}

Note: Replace the ACCOUNTNUMBER, REGION, TAG-KEY, TAG-VALUE, VPC-ID, and ROLENAME parameters with your values.

(Optional) To assign the policy to only IAM users or groups, replace the TAG-KEY or TAG-VALUE parameters with the ${aws:username} IAM policy variable. This policy variable allows IAM to prepopulate the parameters with the friendly name of the IAM user. IAM users can launch an instance in only the specified VPC and control their own instances.
Choose Review policy, and then enter a name. For example, enter VPC_Lockdown_VPC-ID.
Choose Create policy.
Note: You must replace some items with specific resources from your environment. For more information, see Amazon Resource Names (ARNs).

Attach the policy to a user, group, or role

Complete the following steps:

Open the IAM console.
In the navigation pane, choose Users, Groups, or Roles and then choose the IAM identity.
Choose Add permissions, and then choose Attach policies.
Enter the name of the policy, and then choose your policy.
Choose Attach Policy.

When the custom policy is attached, the IAM identity can sign in to the AWS Management Console, open the EC2 dashboard, and launch an EC2 instance. The IAM identity must specify the subnet, VPC, and tag to launch the EC2 instance.

The ec2:ResourceTags condition restricts the following actions:

Start an instance.
Stop an instance.
Reboot an instance.
Terminate an instance.
Attach a volume to the instance.
Detach a volume from the instance.
Disassociate the IAM instance profile from the instance.
Associate an instance profile.
Replace the IAM instance profile association for the instance.
Get a console screenshot of the instance.

The policy restricts the following actions against the VPC:

Delete security groups.
Create and delete routes.
Delete route tables.
Delete network access control lists (network ACLs).
Delete network ACL entries.
Authorize or revoke security group ingress and egress rules.
Create network interface permissions.
Update security group description for ingress and egress rules.

Related information

How do I use the PrincipalTag, ResourceTag, RequestTag, and TagKeys condition keys to create an IAM policy for tag-based restriction?

Topics

Security, Identity, & Compliance

Relevant content

How to create parent policy that limits permissions of child policies it creates
Accepted Answer
rePost-User-3279893
asked 2 years ago
How to create the AWS iam policy for hide the ec2 instance based on tags
Accepted Answer
KARTHIK
asked 8 months ago
AWS: How to attach a policy to an IAM user that grants him the privilege to create a verified identity and not access root identities?
AWS-User-9169178
asked 2 years ago
How to I create an IAM policy that will allow the user to create AMI's of my instance?
Gary
asked a year ago
IAM Tag policy for EC2 instances
Accepted Answer
Ruggiero Guida
asked 2 years ago
How do I grant specified permissions to an IAM group and adds an existing IAM user to it?
AWS OFFICIALUpdated 8 months ago
How do I create an IAM policy to control access to Amazon EC2 resources through tags?
AWS OFFICIALUpdated 4 months ago
How do I create Amazon EC2 instances through CloudFormation when the IAM policy for RunInstances has tag-based restrictions?
AWS OFFICIALUpdated a year ago
How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?
AWS OFFICIALUpdated 2 years ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago