AWS Restrict user to manage a single EC2 instance

Sunday, 4 May 2014 18:42 by ranjanbanerji

Restricting a single user to running or stopping a single instance or perhaps a set of instances in AWS is a relatively simple process though it did take me a few minutes to figure it out.  To do so go to the AWS Console Security and Credentials page (click on your name on the top right of the screen).  Click on users and then select the user you wish to restrict access to.

Click on the Permissions tab and under User Policies click on Attach User Policy.  Here you can either use the Policy Generator or type in your custom policy.  This is basically what you need to do:

First give the user permission to see all instances in a given region.  The policy should end up looking like:

   1: { 
   2:     "Statement": [ 
   3:         { "Action": [ "ec2:Describe*" ], 
   4:           "Effect": "Allow", 
   5:           "Resource": "*", 
   6:           "Condition": { 
   7:                 "StringEquals": { 
   8:                     "ec2:Region": "us-east-1" 
   9:                 } 
  10:            } 
  11:         } 
  12:     ] 
  13: }


You then need to restrict the user to be able to operate just the one instance.  This requires a policy that looks like:

   1: { 
   2:     "Statement": [
   3:     { 
   4:     "Effect": "Allow",
   5:     "Action":"ec2:*", 
   6:     "Resource": "arn:aws:ec2:us-east-1:PutYourAccountIdHere:instance/PutYourEC2InstanceIDHere" 
   7:     }
   8:     ]
   9: }


You can of course refine this to individual ec2 actions if you want.

Tags:   ,
Categories:   IT | AWS
Actions:   E-mail | Permalink | Comments (0) | Comment RSSRSS comment feed