Coming from Google Cloud Platform, I'm struggling to give access to an external team to perform some actions within their own environment (in GCP there is the concept of project, I can't find this concept in AWS).
My goal is to give access to an external team so they can create EC2 instances and S3 buckets but can only view, interact and manage their own resources (EC2 instances and S3 buckets they have created).
What I have done so far is that I have created a group and 2 users belonging to this group. In this group I have added full access to EC2 and S3.
I'm now trying to restrict these permissions to their own resources. How can this be achieved?
CodePudding user response:
To restrict users to specific resource, which the group own. You will need to create policy in IAM which will have restricted access based upon tags to the resource or in case of S3 add the resource ARN in policy document. I will suggest to do try the following.
Note: "*" represent wild character, I have added sample actions in permission you can add additional as per your requirement. You can also refer to AWS policy generator tool to get the exact JSON policy document.
EC2 Create a policy for EC2 instance which restricts users to access EC2 only having tags Name=ExternalUser You can change the tag as per your requirement, below is only for reference.
{
"Sid": "EC2RestrictedAccess",
"Action": [
"ec2:Describe*" ],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/Name": "ExternalUser"
}
}
}
S3 bucket for S3 bucket you can restrict the access based upon ARN of S3 bucket. You can also further restrict it to subfolders.
{
"Sid": "S3BucketRestrictedAccess",
"Action": [
"s3:ListBucket",
"s3:Put*",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::*your_restricted_external_bucket*",
"arn:aws:s3:::*your_restricted_external_bucket*/*yourfolder*"
],
"Effect": "Allow"
}