2

What I'm trying to do (continuing off on a question I asked previously: How can I filter AWS Instances by IAM role in powershell and get the private ip address of that instance?) is get the private ip addresses of instances with a specific IAM Role. And I've got a code that works perfectly:

$filter = New-Object Amazon.EC2.Model.Filter -Property @{Name = "iam-instance-profile.arn"; Value = "arn:aws:iam::123456789012:instance-profile/TestRole"} 
$ec2 = @(Get-EC2Instance -Filter $filter)
$ec2instances = $ec2.instances 
$ipaddress = $ec2instances.privateipaddress

However, now instead of doing the filter in the code, I'd like to create an IAM Policy that restricts the user to only be able to get information on the instances that have a specific IAM Role. So if they try to get-ec2instance (for example), it should only return information on the relevant instances and not all instances in the account.

This is my IAM Policy that I have:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Condition": {
                "ArnEquals": {
                    "ec2:InstanceProfile": "arn:aws:iam::12356789102:instance-profile/TestRole"
                }
            }
        }
    ]
}

However when I run get-ec2instance on Powershell, I am told that I'm not authorised to perform that action. I think that might be because get-ec2instance is only applicable to all instances but I'm not sure.

I would appreciate the help, thanks!

Community
  • 1
  • 1
carol Alex
  • 353
  • 1
  • 3
  • 15

2 Answers2

2

There is no option so far where in you can restrict an IAM user to see a specific EC2 instance.

There is only one API call exists ec2-describe-instances which shows one needs to have all the permission on all instances or none.

Vikash
  • 449
  • 1
  • 4
  • 11
1

The reason for the issue is that get-ec2instance is trying to describe all of your instances including instances that doesn't have appropriate role assigned to it.

When talking about describing EC2 instances or listing S3 buckets, you should be able to list everything, otherwise you receive a 403 error.

I could suggest you to restrict your access with IAM for the security purpose only and continue filtering your instances using the code iteslf.

Please let me know if it works for you.

P. S. You may have went in a wrong way when decided to use IAM roles in order to organize your access. AWS provide a feature called "Resource tagging". The direct purpose of it is to organize your resources and apply permissions based on the structure. More information here: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-ec2-tag-permissions

Flexo
  • 87,323
  • 22
  • 191
  • 272
Vladimir Mukhin
  • 577
  • 2
  • 7
  • I had a look at the link you put here but just a question, `get-ec2instance` wouldn't be the ideal command here since that would be requesting to see all instances. is there another similar command that I could use which would return properties of the instances (with iam role) or even just the private ip addresses of those instances (with iam role)? – carol Alex Feb 07 '16 at 22:39
  • following what you said about resource tagging and from this website: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#UsingWithEC2_Actions i tried to put `arn:aws:iam::12356789102:instance-profile/TestRole` in the `Resource` section of the iam policy. it still does not work but is there a way to go from there? – carol Alex Feb 07 '16 at 23:01
  • so read through a bunch of documents and understood that `ec2:DescribeInstances` can't be filtered because that function is not supported. i've decided to stick with my original code of getting all instances and filtering through them! thanks for the suggestions though :) – carol Alex Feb 08 '16 at 00:07