AWS Restrict user to manage a single EC2 instance

Sunday, 4 May 2014 18:42 by ranjanbanerji

Restricting a single user to running or stopping a single instance or perhaps a set of instances in AWS is a relatively simple process though it did take me a few minutes to figure it out.  To do so go to the AWS Console Security and Credentials page (click on your name on the top right of the screen).  Click on users and then select the user you wish to restrict access to.

Click on the Permissions tab and under User Policies click on Attach User Policy.  Here you can either use the Policy Generator or type in your custom policy.  This is basically what you need to do:

First give the user permission to see all instances in a given region.  The policy should end up looking like:

   1: { 
   2:     "Statement": [ 
   3:         { "Action": [ "ec2:Describe*" ], 
   4:           "Effect": "Allow", 
   5:           "Resource": "*", 
   6:           "Condition": { 
   7:                 "StringEquals": { 
   8:                     "ec2:Region": "us-east-1" 
   9:                 } 
  10:            } 
  11:         } 
  12:     ] 
  13: }

 

You then need to restrict the user to be able to operate just the one instance.  This requires a policy that looks like:

   1: { 
   2:     "Statement": [
   3:     { 
   4:     "Effect": "Allow",
   5:     "Action":"ec2:*", 
   6:     "Resource": "arn:aws:ec2:us-east-1:PutYourAccountIdHere:instance/PutYourEC2InstanceIDHere" 
   7:     }
   8:     ]
   9: }

 

You can of course refine this to individual ec2 actions if you want.

Tags:   ,
Categories:   IT | AWS
Actions:   E-mail | Permalink | Comments (0) | Comment RSSRSS comment feed

System.UnauthorizedAccessException when Trying to Delete a File

Wednesday, 18 September 2013 00:06 by ranjanbanerji

There are probably several reasons why one would get this error when attempting to delete a file from code:  System.UnauthorizedAccessException: Access to the path ‘blah.exe' is denied.  I recently encountered it when writing a WinForm application and went through the obvious reasons:

  • Permissions.  Does the current user have rights to delete the file in question.
  • Attributes.  Does the file have a read only attribute
  • In use.  Is some other application using, hence, locking the file.

What I did not consider is if the my own code was loading the file.  At first glance the answer was no.  My code was simply looking at the version of an executable and deleting it if it was old.  This was no LoadLibrary kind of code or was it?  After much pondering I decided to look into Assembly.ReflectionOnlyLoadFrom which is how I was loading the executable to get its version.  AssemblyName.GetAssemblyName is the correct way to do so because it does not load the file (thereby does not lock the file).

Version currentVersion = Assembly.ReflectionOnlyLoadFrom( filePath).GetName().Version;  //WRONG WAY as in this will load and keep the assembly in memory
Version currentVersion = AssemblyName.GetAssemblyName( filePath).Version;  //RIGHT WAY as in this will not load the assembly into memory so the file will not be locked.

 

A day and a half wasted figuring this out.  Awesome!!!!!!!!!!!!!!!