AWS IAM Access Management

Question

I know that you can set up an IAM policy to restrict access to services. However, is it possible to set up a policy to allow access to a part of a service.

E.g. I am two EC2 instances. I need to create two users such that they have an access to the AWS console, but only to one EC2 instance each.

Answer 1

Yes you can do this with Resource-Level Permissions for EC2

The structure of the resource is stated in the documentation as follows:

arn:aws:[service]:[region]:[account]:resourceType/resourcePath

Here is how you would structure the IAM policies for each user:

User 1

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdOne"
    }
   ]
}

User 2

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdTwo"
    }
   ]
}

Answer 2

Policy without access to EC2:DescribeInstance will not work. You need to allow DescribeInstances access on all resources and manage additional access like modify, delete to specific instances depending on what the need is.

In short, allow all basic operations like Describe Tags, Instances, NetworkACLs, Images etc to all users and allow specific destructive actions like Modify and Delete to select user.

List of EC2 actions for your reference here http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html

So you have 2 options-

1. Create one policy like below and attach the same policy to both users

   {
     "Version": "2012-10-17",
     "Statement": [{
     "Effect": "Allow",
     "Action": "ec2:*Describe*",
     "Resource":"*",
     },
     {
       "Effect": "Allow",
       "Action": [
            "ec2:*Modify*",
            "ec2:*Delete*"
       ],
       "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
       "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
    },
    {
       "Effect": "Allow",
       "Action": [
          "ec2:*Modify*",
          "ec2:*Delete*"
    ],
       "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-2**" },
       "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdTwo**"
    }
   ]}
   

2. Create 2 different policies. Example for one below

   {
     "Version": "2012-10-17",
     "Statement": [{
     "Effect": "Allow",
     "Action": "ec2:*Describe*",
     "Resource":"*",
     },
     {
        "Effect": "Allow",
        "Action": [
            "ec2:*Modify*",
            "ec2:*Delete*"
        ],
        "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
        "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
    }
   ]}