I want to create an IAM policy that allows a user deploy instances as follows:
- They can only use 1 AMI
- They can only deploy to 1 specific VPC subnet
- They can only use 1 specific VPC security group
This scenario is addressed in the VPC documentation here (Example 4):
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html#subnet-sg-example-iam
I have tried my own version of the policy as such:
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1:937821706121:image/ami-141ac363",
"arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516",
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
"arn:aws:ec2:eu-west-1:937821706121:volume/*",
"arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
"arn:aws:ec2:eu-west-1:937821706121:security-group/sg-4aa80f2f"
]
}]
}
It doesn't work. I get permission denied when I attempt to deploy instances as a user who is a member of a group where this policy applies. Is there some other policy I need to include with this to allow instance deployment in this way?
Best Answer
Basically, the IAM documentation is totally unreliable when it comes to doing anything other than set global admin or read-only policies.
This is the policy I eventually got to work (for the subnet bit at least):
This took a lot of trial and error.
Basically, when you want to limit the user based on specific resources, you need to create a Statement that first denies the ability to run instances unless conditions are met on specific arn resources, and then at the end, permit them to do anything.
Update:
Amazon have admitted that their docs were inaccurate:
https://forums.aws.amazon.com/thread.jspa?threadID=160287&tstart=0