Access to an Amazon EC2 instance can be controlled by adding a tag to the instance and attaching a policy to a user or group that grants control based on a conditional statement that looks for the instance tag. This works well enough for smaller deployments of 5 to 10 instances, but more efficient options are available for granting users access to an instance when working with larger deployments of users and instances.

Applying policies to IAM users or groups to grant users control of tagged EC2 instances is not optimal when working with a large number of users and EC2 instances.

When working with larger EC2 infrastructures, the use of IAM policies that combine conditional statements with policy variables can reduce administrative overhead by accurately assigning control of EC2 instances to users. The following steps describe a sample IAM policy that uses conditional statements with policy variables to grant IAM users control of EC2 instances that have been tagged with their user name.

  1. Create a basic EC2 administration policy
    This policy grants full control of all EC2 instances in the account:
    {
          "Version" : "2012-10-17",
               "Statement" :
         [
              {
                    "Effect" : "Allow",
                    "Action" : "ec2:*",
                    "Resource" : "*"
               }
          ]
    }
  2. Modify the policy with a conditional statement that allows access to EC2 resources by matching values of ec2:ResourceTag/UserName tags and aws:username policy variables.
    This modification adds a conditional statement that limits full control of EC2 resources to IAM users with a username that matches the value of a tag assigned to the EC2 resource. This allows any EC2 action that supports this condition to complete when the condition is met. Any action that does not support this condition or does not meet the condition is denied access by default.

    Note
    "Full control" extends to all actions within the EC2 namespace with the exception of those Amazon EC2 API actions that currently do not support resource-level permissions. For more information, see Unsupported Resource-Level Permissions in the Amazon EC2 API Reference.
    {
          "Version" : "2012-10-17",
               "Statement" :
          [
               {
                    "Effect" : "Allow",
                    "Action" : "ec2:*",
                    "Resource" : "*",
                    "Condition" : {
                         "StringEquals" : {
                              "ec2:ResourceTag/UserName" : "${aws:username}"
                         }
                    }

               }
          ]
    }
  3. Add a section to the policy to allow users access to the ec2:Describe* actions for EC2 resources. Users must be able to describe EC2 resources in order to interact with them.
    Access to ec2:Describe* actions is not supported using conditional statements, so this access must be granted in a separate section.
    {
          "Version" : "2012-10-17",
               "Statement" :
          [
               {
                    "Effect" : "Allow",
                    "Action" : "ec2:*",
                    "Resource" : "*",
                    "Condition" : {
                         "StringEquals" : {
                              "ec2:ResourceTag/UserName" : "${aws:username}"
                         }
                    }
               },
               {
                    "Effect" : "Allow",
                    "Action" : "ec2:Describe*",
                    "Resource" : "*"
               }

          ]
    }
  4. Add a section to the policy that denies access to the ec2:CreateTags and ec2:DeleteTags actions to prevent users from creating or deleting tags. Explicitly denying access to the ec2:CreateTags and ec2:DeleteTags actions prevents the user from taking control of an EC2 resource by simply adding a tag to the resource.
    Adding a section to explicitly deny user access to the ec2:CreateTags and ec2:DeleteTags actions is recommended because access to these actions could be explicitly granted to a user through another policy attached to a user or group. When IAM policies are evaluated, the most restrictive permissions apply, and therefore the "Deny" effect takes precedence over the "Allow" effect.
    {
         "Version" : "2012-10-17",
              "Statement" :
         [
              {
                   "Effect" : "Allow",
                   "Action" : "ec2:*",
                   "Resource" : "*",
                   "Condition" : {
                        "StringEquals" : {
                             "ec2:ResourceTag/UserName" : "${aws:username}"
                        }
                   }
              },
              {
                   "Effect" : "Allow",
                   "Action" : "ec2:Describe*",
                   "Resource" : "*"
              },
              {
                   "Effect" : "Deny",
                   "Action" :
                        [
                             "ec2:CreateTags",
                             "ec2:DeleteTags"
                        ],
                   "Resource" : "*"
              }

         ]
    }

Amazon EC2, control user access, IAM policies, conditional statement, policy variables, EC2 resource tags


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.