So I'm having issues with AWS's IAM policies. I essentialy have a "management" compartment for multiple things. I want to be able to restrict user access to everything, filtered on VPC. So a user can only do things in the VPC that is assigned to their policy.
My IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1549549655017",
"Action": "*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-########"
}
}
}
]
}
I apply this policy to a user, yet they can still start/stop ec2 instances, or add security groups for something in that VPC.
I thought it might have been because the user was admin, so I removed this and gave them access to specific, but this still allowed them access.
Suggestions?
The aws:SourceVpc condition is only available for services that support traffic over a VPC endpoint. A call to the EC2 service does not support VPC endpoints so this condition will not apply. Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html for conditions that may be applied to the various ec2 actions and resources.
I am not sure what the use case for this is -- but I would humbly suggest that a VPC is not the correct solution for isolating management concerns. You should have that in separate account so that your blast radius from user error is limited to one concern i.e management or user-application not both.
Try replacing this code in the condition section. It should work
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
}
Here the in the other section you can specify all the api’s that you require access to. This will make sure that you can access those api’s within the vpc.
Related
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Resource": "*",
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"ec2:DescribeInstances",
"ec2:DescribeVolumes"
]
}
]
}
I have defined above policy , able to see ec2 instances but not able to see volumes. It's showing message like:
An error occurred fetching Volume information
Requests made by the web console don't have a one-to-one mapping to the actual EC2 actions. Instead, they are proxied through some AWS internal APIs that don't have public documentations. Therefore, I would recommend using ec2:Describe* and save your a some time. If you really want to spend the time tweaking it and set the least privilege, you can either open a support ticket or try every ec2:Describe* action. Do note that since this is not documented publicly, this is not future-proof. In other words, if AWS decides to change the UI again in the future, your current permission setting may not work.
I have a Laravel app running on an ec2 instance inside a VPC. Now I want to connect to an SQS from the app. Using programmatic access seems to work but I want to use the SQS endpoint, without having to use the key and the secret.
Technically speaking this should be possible with the AWS resources being linked together. Any idea how to set this up in Laravel?
Sounds like you need to use an IAM role (basically a set of policies) which you attach to your EC2 instance. The policies you include would have a section for access to your SQS queue (or at least certain actions on it in SQS). This effectively allows temporary credentials to be given to the instance without having to have them in code.
The role might look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
...<any other actions>
],
"Resource": <SQS Queue ARN>
}
]
}
You attach this role to your EC2 instance in the EC2 console - select instance, go to Instance Settings > Attach/Replace IAM Role
I am performing some tests with EC2, and I want to limit the permissions to an already running instance, to only describe other instances (for example, if it requests the creation of a new one, that request should be denied).
I created an IAM Role with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeAvailabilityZones",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "*"
}
]
}
This theoretically should prevent me from creating new instances when I am logged on the already running instance, but it does not (I am using boto library for the test, with ec2.run_instances()).
Any help would be much appreciated.
The policy attached to an IAM Instance Role only affects requests made using the instance role credentials. It doesn't have any impact on requests made using other credentials (such as the access key id and secret of an IAM user), even though the requests come from code running on the instance.
In the case, here, where unexpected privileges are available, the likely explanation is that another set of credentials is stored on the instance, and the code is using those without the developer realizing it.
This is perhaps a good illustration of one reason why it's considered a best practice to only use role credentials in code running on EC2, and not store other credentials on the instance.
First and foremost, I am aware of IAM roles and know that they would provide this feature. However, I have a requirement for a key attached to a IAM user.
Is there a way to limit access to resources from within EC2 instances (only allow if the origin of the request matches ec2 instances).
For example:
Using credentials from developer's laptop: denied
Using credentials from EC2 instance: allowed
We want to make sure that if these keys ever get leaked for whatever reason, no one will be able to control resources from outside our AWS environment.
Thanks
It's possible, but the level of granularity you want may result in more IAM management than you desire. It's possible to add conditions to IAM statements that restrict based on IP address, so you can create a statement like the one below that lists the IPs of your instances:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {"NotIpAddress": {"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]}}
}
}
However unless you use Elastic IPs for all your instances then their IPs can change over time, so you'd need some way of keeping these IAM statements properly updated.
How can I start an EC2 instance by user A.
and the started instance by user A is unable to be seen by user B.
Can I do this with IAM?
I tried this set:
{
"Statement": [
{
"Sid": "Stmt1341824399883",
"Action": [
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances"
],
"Effect": "Deny",
"Resource": [
"*"
]
}
]
}
but it hides everything including the instances started by user A
Unfortunately there are no Amazon Resource Names(ARNs) for Amazon EC2: you can't write a policy that applies only to certain EC2 instances.
If you require isolation between the two, the only way I know of is to create a separate AWS account. You can use consolidated billing so that billing is aggregated with your other account, and you can share some things like EBS snapshots between accounts. Most things however can't be shared between accounts.