3

We are just starting our AWS presence. We require multiple VPCs, each hosting our own servers or customers' servers. Each VPC has 4 subnets - 2 public, 2 private, each in a different AZ. Each VPC has 7 or more EC2 instances.

We manage this through the AWS web console. However, even with 2 VPCs each developer can see all the EC2 instances and all the subnets and it is becoming a bit of a mess. Ideally, we would like to use IAM to restrict visibility of the VPC, but I can't find the ARN of a VPC. Does this exist?

Or should we create a separate AWS account for each VPC to keep things separate? But then how do you manage the users?

psiphi75
  • 151
  • 7

2 Answers2

0

At the moment it doesn't look like VPC supports ARN records. So:

Don't think about this in terms of granting access to a specific VPC. Instead, use instance tags and grant access via IAM groups to instances tagged with a certain string.

Additionally, you really ought to use Cloudformation to create and manage your VPCs. Doing so makes all the difference in the world when it comes to repeatability and maintainability.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Thanks. I have tried adding the following to the IAM policy, but it appears to have no affect, I can still see all instances: "Condition": { "StringEquals": { "ec2:ResourceTag/mykey": "test" } } – psiphi75 Nov 20 '13 at 02:01
  • 1
    @psiphi75 Are you specifying the version in your policy? You must do this in order for AWS to evaluate the resource tag criteria properly. See the example here: http://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/Resource-level-Permissions-for-EC2-Controlling-Management-Access-on-Specific-Ins – EEAA Nov 20 '13 at 02:18
  • 1
    thanks for your answer, but it appears you can't restrict visibility of ec2 resources based on a tag. Follow this link: http://stackoverflow.com/questions/18643555/how-to-hide-instances-in-ec2-based-on-tag-using-iam – psiphi75 Nov 20 '13 at 03:11
  • In the end we went for one account for Prod and one for Dev/Test. Then multiple VPCs per account and use of tags to distinguish resources. It is not an ideal solution, but the best that meets our needs. – psiphi75 Dec 02 '13 at 04:50
0

AWS has a new feature to use tags to restrict IAM roles. For instance, you could set a set of servers with the tag "database" or "production" and keep users from doing anything with just that set of EC2 instances.

I'm not sure if you can prevent them from seeing them altogether. There's a deeper StackOverflow discussion here about that and you can use something like Userify to manage SSH access on the boxes themselves.

Community
  • 1
fatal_error
  • 1,152
  • 1
  • 11
  • 18