IAM Contd
Solution: Create a policy to read ec2 instances but permission to start and stop any one particular ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances"],
"Resource": "arn:aws:ec2:us-west-1:678879106782:instance/i-08107ac664be50526"
}
]
}
- ARN for EC2
arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}
region = us-west-1
InstanceId = i-08107ac664be50526
arn:aws:ec2:us-west-1:678879106782:instance/i-08107ac664be50526
- Now refer the following
Give EC2 full access when the user is working on ec2 instances in us-west-1 region and readonly in all other regions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": { "ec2:Region" : "us-west-1" }
}
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": { "ec2:Region" : "us-west-1" }
}
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": { "ec2:Region" : "us-west-1" }
}
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": { "ec2:Region" : "us-west-1" }
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
],
"ec2:Region" : "us-west-1"
}
}
}
]
}
- We have evaluated this in class, kindly refer classroom video
Give EC2 full access when the user is working on t2.micro instances readonly for all other instance types
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals" : {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
Like this:
Like Loading...
