AWS Policy Limited Administrator

0
votes

I want to create a policy that allows an IAM user or role to create a set of resources (for example EC2 instances) and then manage (delete, update, etc) ONLY those resources. I hope I can accomplish this using IAM variables, wildcards, and/or conditions, but I'm not sure how.

My policy would look something like this ideally

          {
            "Effect": "Allow",
            "Action": [
              "ec2:*"
            ],
            "Condition": [ 
               { "Created_By_The_Instance_Profile_In_The_CFN_Stack_That_Created_The_EC2Instance}" } 
            ]
          }

Further, what if I want to grant the EC2 instance profile to do ssm:CreateAssociation for an SSM document that was created in the same stack as the EC2 instance itself? In other words, I have a stack with an EC2 instance, and IAM Instance Profile, an IAM Role, and an SSM document and I want the EC2 instance to CreateAssociation on startup, via UserData. The user that launches the stack should have access to create these resources, but NOT to create new policies (effectively making them an administrator). I want to create a Role + Policy ahead of time and grant the stack creator the ability to attach this Role to the IAM Instance Profile Role it creates.

So, ahead of time, I (the admin), create a policy and role as such

  "DeployerRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com",
                  "lambda.amazonaws.com"
                ],
                "AWS": "*"
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        }
      }
    },
    "PolicyManagerPolicy": {
          "Type": "AWS::IAM::ManagedPolicy",
          "Properties": {
            "Description": "Allows CFN deployer to attach and detach required policies.",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "iam:AttachRolePolicy",
                    "iam:DetachRolePolicy"
                  ],
                  "Resource": "*",
                  "Condition": {
                    "ArnEquals": {
                      "iam:PolicyArn": [
                        "The_Policy_Arn_I_Want_To_Create"
                      ]
                    }
                  }
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "iam:CreateRole"
                  ],
                  "Resource": "*"
                }
              ]
            },
            "Roles": [ { "Ref": "DeployerRole" } ]
          }
        }

The "limited administrator" deployer (an IAM user in the DeployerRole) should be able to launch a stack containing an:

  • EC2 Instance
  • IAM Instance Profile
  • IAM Role
  • SSM Document

I need The_Policy_Arn_I_Want_To_Create to:

  • Allow ONLY the EC2 Instance created by the stack to be able to CreateAssociation ONLY with the SSM Document created by the stack. Using tags is fine, but since the Resource for the SSM document would not be able to use tags, how can I do this?
1
amazon-web-servicesamazon-iam

1 Answers

1
votes

ec2 does not know about the account who created the instance (you might have that if you enable CloudTrail), a possibility will be to tag the ec2 instance when you create it with the user account and then read that from your policy as

"Condition": {"StringEquals": {"ec2:ResourceTag/<tag where the username will be>": "${aws:username}"