Minimal IAM policy for ec2:RunInstances

Question

I'm trying to narrow down the minimal policy to run a predefined machine image. The image is based on two snapshots and I only want "m1.medium" instance types to be launched.

Based on that and with the help of this page and this article, I worked out the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1385026304010",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": "m1.medium"
                }
            },
            "Resource": [
                "arn:aws:ec2:us-east-1::instance/*",
                "arn:aws:ec2:us-east-1::image/ami-f1c3e498",
                "arn:aws:ec2:us-east-1::snapshot/snap-e2f51ffa",
                "arn:aws:ec2:us-east-1::snapshot/snap-18ca2000",
                "arn:aws:ec2:us-east-1::key-pair/shenton",
                "arn:aws:ec2:us-east-1::security-group/sg-6af56d02",
                "arn:aws:ec2:us-east-1::volume/*"
            ]
        }
    ]
}

The policy narrows down the exact image, snapshots, security group and key-pair while leaving the specific instance and volume open.

I'm using the CLI tools as follows, as described here:

aws ec2 run-instances --dry-run \
    --image-id ami-f1c3e498 \
    --key-name shenton \
    --security-group-ids sg-6af56d02 \
    --instance-type m1.medium

The ~/.aws/config is as follows:

[default]
output = json
region = us-east-1
aws_access_key_id = ...
aws_secret_access_key = ...

The command results in a generic You are not authorized to perform this operation message and the encoded authorization failure message indicates that none of my statements were matched and therefore it rejects the action.

Changing to "Resource": "*" resolves the issue obviously, but I want to gain more understanding as to why the above doesn't work. I fully realize that this involves some degree of guess work, so I welcome any ideas.

Answer 1

I've been contacted by Jeff Barr from Amazon Web Services and he kindly helped me find out what the issue was.

First you need to decode the authorization failure message using the following statement:

$ aws sts decode-authorization-message --encoded-message 6gO3mM3p....IkgLj8ekf

Make sure the IAM user / role has permission for the sts:DecodeAuthorizationMessage action.

The response contains a DecodedMessage key comprising another JSON encoded body:

{
    "allowed": false,
    "explicitDeny": false,
    "matchedStatements": {
        "items": []
    },
    "failures": {
        "items": []
    },
    "context": {
        "principal": {
            "id": "accesskey",
            "name": "testuser",
            "arn": "arn:aws:iam::account:user/testuser"
        },
        "action": "ec2:RunInstances",
        "resource": "arn:aws:ec2:us-east-1:account:instance/*",
        "conditions": { ... }
    }
}

Under context => resource it will show what resource it was attempting to match against the policy; as you can see, it expects an account number. The arn documentation should therefore be read as:

Unless otherwise specified, the region and account are required.

Adding the account number or * in the affected ARN's fixed the problem:

"Resource": [
    "arn:aws:ec2:us-east-1:*:instance/*",
    "arn:aws:ec2:us-east-1:*:image/ami-f1c3e498",
    "arn:aws:ec2:us-east-1:*:snapshot/snap-e2f51ffa",
    "arn:aws:ec2:us-east-1:*:snapshot/snap-18ca2000",
    "arn:aws:ec2:us-east-1:*:key-pair/shenton",
    "arn:aws:ec2:us-east-1:*:security-group/sg-6af56d02",
    "arn:aws:ec2:us-east-1:*:volume/*"
]