3

What I am trying to do is create a Group for an external team that requires access to their CloudFormation of which is in our account. I would like to set restrictions on their group so that they may only view and edit their own website without viewing the rest of the sites on my teams account.

I have a test policy that should have allowed the user to be able to view only a specific EC2 instance (the example is below) but when I enter log in as the restricted group I have a message the reads "An error occurred fetching instance data: You are not authorized to perform this operation." 

{
  "Statement":[{
    "Effect":"Allow",
    "Action":"ec2:*",
    "Resource":arn:aws:ec2:us-east-1:NUMBERS:instance/instance-ID",
    "Condition":{
      "ArnEquals":{
        "ec2:Owner":"arn:aws:ec2:us-east-1:NUMBERS:instance/instance-ID"
        }
      }
    }
  ]
}

Is there a way to set up group restrictions to certain CloudFormations including their EC2 instances, RDS and S3 Buckets?

Thanks,

Lgalan90
  • 195
  • 1
  • 1
  • 10

1 Answers1

2

Unfortunately AWS Identity and Access Management (IAM) doesn't fully cover this particular aspect as of today, because Resource-Level Permissions for EC2 and RDS Resources are not yet available for all API actions, see e.g. this note from Amazon Resource Names for Amazon EC2:

Important Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later. For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions.

You will find that all ec2:Describe* actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing, which is causing the error you are experiencing.

  • See my initial answer to How to restrict a user to a specific instance volume in AWS using IAM policy for an example how to split your IAM policy regarding those parts that do and do not support resource level permissions to avoid this error as such (obviously this wouldn't prevent users to see all of your account though).

See also Granting IAM Users Required Permissions for Amazon EC2 Resources for a concise summary of the above and details on the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources - this page also mentions that AWS will add support for additional actions, ARNs, and condition keys in 2014.

Alternative/Workaround

Depending on the specific scenario, it might be easier to just provision a separate AWS account, which can be integrated with yours IAM policy wise via Cross-Account Access: Sharing Resources Between AWS Accounts and billing wise via Consolidated Billing.

Community
  • 1
Steffen Opel
  • 5,638
  • 37
  • 55