AWS IAM customized policy at instance level for EC2 doesn't work

4
votes

Created an AWS IAM policy for a user to give permission for only stopping and starting instance but if I give a particular instance ARN resource then it doesn’t work. Default EC2 Read only permission has been given to the user to describe EC2 instances and on top of that added customized sample policy as follows:

Sample policy:

  {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "ec2:Describe*",
                    "ec2:StopInstances",
                    "ec2:RunInstances",
                    "ec2:StartInstances"
                ],
                "Effect": "Allow",
                "Resource": "*"

This works

                "Resource": "arn:aws:ec2:<region>:<account id>:instance/<instance id>"  
                "Resource": "arn:aws:ec2:<region>:<account id>:instance/*" 
                "Resource": "arn:aws:ec2:<region>::instance/*"
                "Resource": "arn:aws:ec2:::instance/*"
                "Resource": "arn:aws:ec2:::*"

These doesn’t work

            }
        ]
    }

Edited on 23rd January (To Show what exactly I have done)

Objective: Start and stop instance permission on a single EC2 instance to a user.

Tested different combo policies but none of them worked except "Resource": "*":

Logged in: admin_user (Full access)

Created an instance as follows:

  1. Region: Oregon

  2. Availability zone: us-west-2c

  3. Instance Id: i-xxx3dxxx32xxxxxxe

  4. Owner: xxx23xxx11

Created a user: testec2_user

Permissions given to the user:

  1. EC2 read only (available policy)

  2. Customized policy to permit only stop and start i-xxx38xxx32xx45 instance as follows:

    {
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "ec2:Describe*",
            "ec2:RunInstances"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Action": [
            "ec2:StopInstances",
            "ec2:StartInstances"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:ec2:us-west-2c:xxx23xxx11:instance/i-xxx3dxxx32xxxxxxe"
    }
        ] }

Logged in as testec2_user and tried starting up the stopped instance and received following error:

You are not authorized to perform this operation. Encoded authorization failure message

I have a plan for decoding the message received using sts decode authorization message of AWS.

2
amazon-web-servicesamazon-ec2amazon-iam

2 Answers

4
votes

DescribeInstances does not support resource-level permissions. (See Unsupported Resource-Level Permissions).

If an Amazon EC2 API action does not support resource-level permissions, you can grant users permission to use the action, but you have to specify a * for the resource element of your policy statement.

Read more

So, you could re-write your policy as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:Describe*",
                "ec2:RunInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:<region>:<account>:instance/<instance-id>"
        }
    ]
}

EDIT

RunInstances needs access to several resource types besides Instance (Such as Image, Key pair, Network interface, Placement group, Security group, Snapshot, Subnet and Volume) and accepts a specific ARN format for each resource type. So, arn:aws:ec2:<region>:<account id>:instance/* would not be enough and you'll get an UnauthorizedOperation error. The "Resource" element should either be:

"Resource": "*"

Which is the easiest way, or:

"Resource": [
    "arn:aws:ec2:<region>:<account>:instance/*",
    "arn:aws:ec2:<region>::image/*",
    "arn:aws:ec2:<region>:<account>:key-pair/*",
    "arn:aws:ec2:<region>:<account>:network-interface/*",
    "arn:aws:ec2:<region>:<account>:placement-group/*",
    "arn:aws:ec2:<region>:<account>:security-group/*",
    "arn:aws:ec2:<region>::snapshot/*",
    "arn:aws:ec2:<region>:<account>:subnet/*",
    "arn:aws:ec2:<region>:<account>:volume/*"
]

Which is more complex but provides fine-grained control on each resource. For example, you can allow RunInstances execution for a specific EC2 image ID or subnet ID only. For more details, see the RunInstances section here.

Additional note on PassRole Permission

When executing RunInstances, if the EC2 instance should include an instance profile, the user who launches the EC2 instance must also have the IAM PassRole permission in order to associate a role with the instance during launch. For example:

{
    "Version": "2012-10-17",
    "Statement": [
        ...
        {
            "Action": "iam:PassRole",
            "Effect": "Allow",
            "Resource":"arn:aws:iam::<account>:role/<role-name>"
        }
    ]
}

This way, you make sure that a user doesn't pass a role to an EC2 instance where the role has more permissions than you want the user to have.

For more info on granting permission to launch EC2 instances with IAM roles, see this AWS blog article.

1
votes

This is how you specify multiple resources:

"Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::BUCKET-NAME/home/${aws:username}",
        "arn:aws:s3:::BUCKET-NAME/home/${aws:username}/*"
      ]
    }
  ]
}

Source: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html

EDIT:

You can also use Conditions if you want to filter out instead of including all the required resources manually.