Home > front end >  Permission to remove an Amazon EC2 resource. Whats to choose?
Permission to remove an Amazon EC2 resource. Whats to choose?

Time:07-04

I need to ensure that no more than one person in its Admin group has permanent permission to remove an Amazon EC2 resource. There should be no modifications to the current Admin group policy. What should I use? Managed policy? STS? Maybe Inline policy?

CodePudding user response:

you can create a new policy policy where you want include the ec2 action to terminate an instance and allow only one user to be able to do that by adding a condition.

Example :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1656720238220",
      "Action": [
        "ec2:TerminateInstances"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:* ",
      "Condition": {
        "StringNotEquals": {
          "aws:username": "johndoe"
        }
      }
    }
  ]
}

This this explicitly denies all but johndoe you wont have to edit the original admin policy even if it allows ec2 instances to terminate because of how AWS works through policies https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Page link:https//www.codepudding.com/frontend/463260.html

Prev:AWS NLB - not able to assign Elastic IP to Network Load Balancer
Next:Which is the correct way to configure IpAddress condition in Policy document for REST API?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding