The Rhys Godfrey blog post titled Using IAM to secure Elastic Beanstalk Applications on AWS has some good guidance.
We have an Elastic Beanstalk application, and a group of users. This
group of users should be able to monitor and deploy to only that
elastic beanstalk environment, as well as restarting or terminating
application instance. They should not be able to change the
application or environments configuration, or delete the environment.
The user should not be able to affect other applications or AWS
services, but it is acceptable for them to see details on other areas.
We assume the user will be using the AWS console.
I have reposted the IAM policies here for reference.
The nice thing about his approach is that it considers the application environment by referencing an EC2 tag on the instances EG Environment=testing
, which you require in your use case.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ElasticBeanstalkEnvironmentPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RequestEnvironmentInfo"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:environment/ApplicationName/*"
]
},
{
"Sid":"ElasticBeanstalkGlobalPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation"
],
"Resource":[
"*"
]
},
{
"Sid":"ElasticBeanstalkApplicationVersionPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:UpdateApplicationVersion"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:applicationversion/ApplicationName/*"
]
},
{
"Sid":"ElasticBeanstalkApplicationPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:UpdateApplication"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:application/ApplicationName"
]
},
{
"Sid":"Autoscaling",
"Effect":"Allow",
"Action":[
"autoscaling:SuspendProcesses",
"autoscaling:Describe*",
"autoscaling:ResumeProcesses"
],
"Resource":"*"
},
{
"Sid":"Cloudwatch",
"Effect":"Allow",
"Action":[
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource":"*"
},
{
"Sid":"Cloudformation",
"Effect":"Allow",
"Action":[
"cloudformation:GetTemplate",
"cloudformation:Describe*"
],
"Resource":"*"
},
{
"Sid":"IAM",
"Effect":"Allow",
"Action":[
"iam:ListServerCertificates",
"iam:ListInstanceProfiles"
],
"Resource":"*"
},
{
"Sid":"S3ElasticBeanstalkBucket",
"Action":[
"s3:AbortMultipartUpload",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTorrent",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx/*"
]
},
{
"Sid":"S3Global",
"Effect":"Allow",
"Action":"s3:ListAllMyBuckets",
"Resource":"arn:aws:s3:::*"
},
{
"Sid":"S3ElasticBeanstalkShared",
"Effect":"Allow",
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1",
"arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1/*"
]
},
{
"Sid":"EC2Global",
"Effect":"Allow",
"Action":[
"ec2:Describe*"
],
"Resource":[
"*"
]
}
]
}
The second IAM policy handles EC2 instances for a given environment:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"EC2EnvironmentInstances",
"Effect":"Allow",
"Action":[
"ec2:MonitorInstances",
"ec2:UnmonitorInstances",
"ec2:RebootInstances",
"ec2:StopInstances"
],
"Resource":[
"arn:aws:ec2:eu-west-1:123xxxxxxxxx:instance/*"
],
"Condition":{
"StringEquals":{
"ec2:ResourceTag/elasticbeanstalk:environment-name":"EnvironmentName"
}
}
}
]
}