AWS IAM policy to restrict access to specific ec2 instances via ec2-instance-connect
Question
I am creating a IAM policy to grant access to third party developers so that they can connect to EC2 instances in private subnet via ec2-instance-connect.
The developers should only connect to specific instances via ec2-connect. How I can implement the policy?
My policy is below:
AWSTemplateFormatVersion: 2010-09-09
Description: Template for API functionality xxxxx
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Environment basic parameters
Parameters:
- Env
- AccountID
ParameterLabels:
Env:
default: Environment ID
AccountID:
default: Account ID
Parameters:
Env:
Description: Unique environment.
Type: String
Default: lab
AccountID:
Description: Account ID.
Type: String
Default: 11113333444455
Resources:
SiteManagementRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub 'Role-${Env}'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: default
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountID}:root'
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: !Sub 'Policy-${Env}'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: VisualEditor0
Effect: Allow
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*'
- Sid: VisualEditor1
Effect: Allow
Action:
- 'ec2:DescribeImages'
- 'ec2:DescribeInstances'
- 'ec2:DescribeTags'
- 'ec2:DescribeInstanceAttribute'
- 'ec2:DescribeInstanceTypes'
- 'ec2:DescribeInstanceStatus'
Resource: '*'
# Condition:
# StringEquals:
# 'ec2:ResourceTag/Env': !Sub '${Env}'
- Sid: VisualEditor2
Effect: Allow
Action:
- 'logs:ListTagsLogGroup'
- 'logs:GetLogRecord'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:StartQuery'
- 'logs:StopQuery'
- 'logs:TestMetricFilter'
- 'logs:GetLogDelivery'
- 'logs:GetQueryResults'
- 'logs:GetLogEvents'
- 'logs:FilterLogEvents'
- 'logs:GetLogGroupFields'
Resource: '*'
I need to appy access restriction based on tags but there should be better way to do this which will restrict developers to connect to specific instances.
Here:
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*' <---I dont want it to be *
Please help.
Thanks in advance
1 answers
solution1
0 2020-04-11 02:55:06
From Set Up EC2 Instance Connect - Amazon Elastic Compute Cloud :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": [
"arn:aws:ec2:region:account-id:instance/i-1234567890abcdef0",
"arn:aws:ec2:region:account-id:instance/i-0598c7d356eba48d7"
],
"Condition": {
"StringEquals": {
"ec2:osuser": "ami-username"
}
}
}
]
}
The above policy will restrict access to specific instances and specific usernames. I'm not sure if the instances can be identified by Tag. You'll need to do some experimenting.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.