Today I would like to share about IAM policy to control access while creating EC2 instances. Especially, I just using this for sharing IAM user access to my lab sharing "Thingyan AWS Lab" for our People, Myanmar.
Because, I just want them to use free tier only cause they are 1st time trying to create EC2 instance. So I just using IAM policy as the following one.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*",
"cloudfront:*",
"cloudwatch:*",
"elasticloadbalancing:*",
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ap-southeast-1"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"t2.micro"
]
}
}
}
]
}
First statement path is for allowing EC2, S3, CloudFront, Cloudwatch, Elasticloadbalancing, to access these services within specific AWS Region (ap-southeast-1 - Singapore). I would like to create services in singapore region only.
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*",
"cloudfront:*",
"cloudwatch:*",
"elasticloadbalancing:*",
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ap-southeast-1"
}
}
},
Second statement is to allow only to create t2.micro EC2 instance. So, I like to use the condition that the requested instance type is not like t2.micro, it will deny everything. That is all and please check the following step by steps.
First step is creating IAM policy.
Go to IAM Policy Page
And click on create policy and I will create the custom policy with json
paste the above policy json code to this and after this please click on Next Tags
If you want to add tags, you can add and if not, you can click on Next:Review,
You have to add the policy name and description and check the policy summary.
If everything is looking fine, you can go ahead to create policy.
After creating policy you have to create IAM User Groups at
Click on create group and add the IAM and attach the policy you created before.
After everything is complete, your IAM user can only access to the services within specific AWS region.
Top comments (0)