AWS IAM policy to restrict access to c7g.large instance only-CodePudding

How do I write a poilicy to have full access to a single c7g.large ec2 instance and restrict the rest of the instances?

CodePudding user response：

If its a single specific instance you want to restrict access you can use tags on the instance and reference them from the policy. Below example is taken from AWS and uses uses the built-in variable ${aws:username} - this allows a user to manage their own instance or you can use hard coded values/other builtin variables as you need.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/UserName": "${aws:username}"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Resource": "*"
    }
  ]
}

CodePudding user response：

The ability to launch, start and stop an Amazon EC2 instance is controlled via IAM using policies.

For example: Amazon EC2: Allows starting or stopping an EC2 instance and modifying a security group, programmatically and in the console - AWS Identity and Access Management

However, the ability to login to an instance via SSH is typically controlled by Amazon EC2 key pairs and Linux instances - Amazon Elastic Compute Cloud. You are responsible for generating and managing the keypairs. The operating system on the instance will then verify the keypair against those stored in ~/.ssh/authorized_keypairs. This does not involve AWS IAM.

However, there are two other ways to login to an instance.

You can Connect using EC2 Instance Connect, which uses SSH but can send keypairs on-the-fly to the instance. It enforces IAM permissions to control who can connect to the instance.

Alternatively, AWS Systems Manager Session Manager uses an agent installed on the instance to establish a connection to the instance. It doesn't use SSH, but it provides similar functionality. The nice part is that Session Manager makes it possible to connect to an instance in a private subnet because the installed agent establishes an outbound connection that is used for communication. (Whereas SSH is only possible with publicly-exposed instances.) Session Manager also uses IAM permissions to control access.