1

I need to share an education grant with a bunch of students. I've read up on IAM, but I can't figure out how to configure the group so that students can launch and control instances/security groups without allowing them to mess up my personal work.

I've got this configuration, which I read as "allow anything if the instance is not tagged False for Student".

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1385328762000",
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "ec2:ResourceTag/Student": "False"
        }
      }
    }
  ]
}

This seems to do nothing based on the tag 'Student'. I've also tried two policies, one being an allow all on ec2 and one being a deny all if the tag Student is False, as shown below. This allows me to be the one that needs to remember to tag my stuff, and students can do whatever. Again, it does not seem to matter, the student accounts I test with can see anything they want, the allow all policy supersedes the deny if tagged policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1385328762000",
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*"
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt138235328000",
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/Student": "False"
        }
      }
    }
  ]
}
Hamy
  • 367
  • 3
  • 11

1 Answers1

0

Create a second account for your students to use that is separated from your own work. Use consolidated billing to have both accounts handled by the same bill.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28
  • as in totally bypass the IAM stuff? (I'm fine with that as a solution if it works, I'm just ensuring that I understand what you are saying) – Hamy Nov 27 '13 at 01:05