IAM policy to restrict users to instances in a specific VPC

Question

I am trying to make a IAM policy to restrict user access to all the instances in a specific VPC. Following policy I made but not working.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1450441260778",
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:region:Account_num:vpc/vpc-id"
        }
    ]
}

I have filled the corresponding account_num and vpc-id in the policy.

Answer 1

You want to restrict the user access and you have used the allow attribute which will give permission to access the instance . Is that the desired behavior ?

If you really want to restrict try "Effect": "Deny" in same policy .

However if you want to give access to certain users here's how you can do it .

The following below policy works for me well in that case. I use it for the developers to restrict the access to start stop the instances . You can add as many permissions as you want in the second block .

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances*",
                "ec2:StopInstances*"
            ],
            "Resource": "arn:aws:ec2:ap-southeast-1:ACCOUNT_ID:instance/i-32ds2a29"
        }
    ]
}

ap-southeast-1 is the region for my case . To control an instance in a specific vpc you can simply use its id .There is no separate arn for vpc+instance_id instead you can use arn:aws:ec2:region:account-id:instance/instance-id as arn refer this .

Similarly you can use the same policy to restrict the users in specific vpc by using arn:aws:ec2:region:account-id:vpc/vpc-id as arn, adding Action ec2:* and deny in effect .

Answer 2

There are certain permissions that cant be applied to a specific resource. These permissions will show an error when you check the policy in IAM.

In order to restrict a user to a specific VPC and allow all EC2 actions, the following policy can help you in achieving that:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "NonResourceBasedReadOnlyPermissions",
        "Action": [
            "ec2:Describe*",
            "ec2:CreateKeyPair",
            "ec2:CreateSecurityGroup",
            "iam:GetInstanceProfiles",
            "iam:ListInstanceProfiles"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Sid": "IAMPassroleToInstance",
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
    },
    {
        "Sid": "AllowInstanceActions",
        "Effect": "Allow",
        "Action": [
            "ec2:RebootInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:StartInstances",
            "ec2:AttachVolume",
            "ec2:DetachVolume"
        ],
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
            }
        }
    },
    {
        "Sid": "EC2RunInstances",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
            }
        }
    },
    {
        "Sid": "EC2RunInstancesSubnet",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
            }
        }
    },
    {
        "Sid": "RemainingRunInstancePermissions",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:us-east-1:123456789012:volume/*",
            "arn:aws:ec2:us-east-1::image/*",
            "arn:aws:ec2:us-east-1::snapshot/*",
            "arn:aws:ec2:us-east-1:123456789012:network-interface/*",
            "arn:aws:ec2:us-east-1:123456789012:key-pair/*",
            "arn:aws:ec2:us-east-1:123456789012:security-group/*"
        ]
    },
    {
        "Sid": "EC2VpcNonresourceSpecificActions",
        "Effect": "Allow",
        "Action": [
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:DeleteSecurityGroup"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
            }
        }
    }
]
}

In order to understand in detail what each statements are doing, I would recommend reading this blog from AWS. This policy, allows the user to:

• Sign in to the AWS Management Console and go to the Amazon EC2 console.
• Launch an EC2 instance as long as they:

  Specify a subnet in the proper VPC. Specify the allowed instance profiles.

• Start/stop/reboot/terminate/attach volume/detach volume on an instance as long as they:

  Specify an instance launched with the proper instance profiles.

• Delete security groups, routes, route tables, network ACLs, and ACL entries as well as authorize and revoke security group ingress and egress rules, as long as they are in the proper VPC.