AWS IAM EC2 policy limited to originating instance

3
votes

I'm working on a setup where I need to terminate AWS instances because of inactivity (i.e. nothing new in web-server access logs since a period of time). Those instances are testing instances and are created automatically by CI/CD software.

I would like those instances to identify themselves that they become abandoned and terminate themselves. I want to assign a generic iam-role to each of them that will only allow the instance the termination of itself and not the peer instances.

So far I've been here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse https://www.reddit.com/r/aws/comments/4gglxk/iam_policy_to_allow_ec2_instance_to_only_query/ https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

And figured out that there are 2 variables available in policies:

ec2-instance-id
ec2:SourceInstanceARN

I came up with few variations of my role policy but none of them work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "${ec2:SourceInstanceARN}"
        }
    ]
}

Is it actually possible to achieve the desired behavior, i.e. to only allow instance to perform specific operation on itself (e.g. Termination)?

UPDATE:
I do know that I can work with tags, that is what I'm doing meanwhile, but that means that all tagged instances can terminate their peers. That is a bit too loose restriction, I'd like to really limit it to the instance it

AWS IAM: Allow EC2 instance to stop itself
IAM policy to allow EC2 instance API access only to modify itself

1
amazon-web-servicesamazon-ec2amazon-iam
If terminating itself is your only concern, launch the instance with InstanceInitiatedShutdownBehavior set to Terminate and just have the code on the machine run /sbin/poweroff as root. When the EC2 infrastructure sees the instance try to power itself off, the instance will be terminated, exactly as if you sent an API request to terminate it.Michael - sqlbot
@Michael-sqlbot Great idea! Can also run sudo shutdown now -hJohn Rotenstein

1 Answers

7
votes

You were close with your condition. The trick is to compare instance ARN with ec2:sourceInstanceARN:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:TerminateInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

Clearly for testing purposes I allowed my instances with this policy to tag and stop themselves.