AWS describe-instances limiting to tagged

amazon ec2amazon-iamamazon-web-servicesaws-cli

With the following policy in AWS IAM:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/project": "projectA"
                }
            },
            "Resource": [
                "arn:aws:ec2:your_region:your_account_ID:instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": [
                "arn:aws:ec2:eu-west-1:REMOVED:instance/i-REMOVED"
            ]
        }
    ]
}

I'm able to start/stop based on the resource set to a specific instance ID. The action of DescribeInstances, on the other hand, which I would like to limit to EC2 assets tagged with "project=projectA" doesn't seem to work.

I've tried to list them with aws cli as:

aws ec2 describe-instances --filters Name=tag:project,Values=projectA

And the tag is in fact added to the EC2 asset in question.

Any tips/recommendations?

P.S.: I've also tried setting the resource in the describeinstances part as *, and still no go.

Best Answer

Closing this question, as it appears that conditions are not supported by DescribeInstances.

No resource limiting is permitted by DescribeInstances (tags, specific instances IDs, etc).

Related Solutions

AWS RDS CLI: AccessDenied on CreateDBSnapshot

It is indeed strange, but it appears that the CreateDBSnapshot permission also has to be assigned to the destination snapshot.

This policy works:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmtxxxxxxxxxxxxxx",
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBSnapshot"
            ],
            "Resource": [
                "arn:aws:rds:eu-west-1:xxxxxxxxxxxxxx:db:my-database",
                "arn:aws:rds:eu-west-1:xxxxxxxxxxxxxx:snapshot:*"
            ]
        }
    ]
}

Create an IAM Policy that allows everything except IAM except PassRole

To me, this seems likes a bug in the Policy Simulator. Even Amazon themselves declares a policy just like yours in an example of theirs. The simulator complains, but actually attaching this policy to a user works out fine.

What am I doing wrong with the named role?

To the best of my knowledge, nothing.

What could the security implications be by allowing PassRole for all (I'm assuming the policy simulator isn't fibbing).

Well, you'd be allowing the iam:PassRole action for any role. That basically means that a user with this policy would be able to launch an EC2 instance with any IAM role attached to it. It's also explained in the AWS documentation I linked above:

Alternatively, you could grant IAM users access to all your roles by specifying the resource as "*" in this policy. However, consider whether users who launch instances with your roles (ones that exist or that you'll create later on) might be granted permissions that they don't need or shouldn't have.

Best Answer

Related Solutions

AWS RDS CLI: AccessDenied on CreateDBSnapshot

Create an IAM Policy that allows everything except IAM except PassRole

Related Topic