AWS IAM Access Management

醉酒当歌 提交于 2019-12-01 06:00:59
EFeit

Yes you can do this with Resource-Level Permissions for EC2

The structure of the resource is stated in the documentation as follows:

arn:aws:[service]:[region]:[account]:resourceType/resourcePath

Here is how you would structure the IAM policies for each user:

User 1

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdOne"
    }
   ]
}

User 2

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdTwo"
    }
   ]
}

Policy without access to EC2:DescribeInstance will not work. You need to allow DescribeInstances access on all resources and manage additional access like modify, delete to specific instances depending on what the need is.

In short, allow all basic operations like Describe Tags, Instances, NetworkACLs, Images etc to all users and allow specific destructive actions like Modify and Delete to select user.

List of EC2 actions for your reference here http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html

So you have 2 options-

  1. Create one policy like below and attach the same policy to both users

    {
      "Version": "2012-10-17",
      "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:*Describe*",
      "Resource":"*",
      },
      {
        "Effect": "Allow",
        "Action": [
             "ec2:*Modify*",
             "ec2:*Delete*"
        ],
        "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
        "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
     },
     {
        "Effect": "Allow",
        "Action": [
           "ec2:*Modify*",
           "ec2:*Delete*"
     ],
        "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-2**" },
        "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdTwo**"
     }
    ]}
    
  2. Create 2 different policies. Example for one below

    {
      "Version": "2012-10-17",
      "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:*Describe*",
      "Resource":"*",
      },
      {
         "Effect": "Allow",
         "Action": [
             "ec2:*Modify*",
             "ec2:*Delete*"
         ],
         "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
         "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
     }
    ]}
    
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!