2

We have a few users which basically have access to everything using the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Is there a way to restrict access to selected VPCs?

I have tried creating the following policy and attach it to the user (via a group):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1504660000000",
            "Effect": "Deny",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>"
            ]
        }
    ]
}

I have replaced <REGION> <ACCOUNT-ID> and <VPC-ID>".

The policy simulator denies access (StartInstances, StopInstances, etc.) correctly. Nevertheless a user with this policy attached can still create EC2 instances within the vpc.

  1. Why does my policy not deny access to the VPC? As far as I know "Deny" overwrites "Allow".

  2. What is the correct way of achieving this? I have read through this and this but don't understand how it would restrict access.

kev
  • 8,928
  • 14
  • 61
  • 103
  • Take a look at the documented resources supported for `RunInstances`. I don't see VPC there in placez where it should matter: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html – Michael - sqlbot Sep 06 '17 at 04:45
  • Can you be more precise? Would I be able to use a subnet? `ec2:Vpc` is listed in the _Condition Keys_ column. – kev Sep 06 '17 at 04:58

2 Answers2

2

It's a tricky one. You have to refer and include all actions including recources which supports the ec2:Vpc condition and deny the API actions. For other actions, you have to find conditions which are common in API actions and include those actions in separate statement blocks and deny those by other means e.g. using tags or something else.

Also, as the users have AdministratorAccess, you have to make sure that the user's cannot detach this Deny policy and escalate the privilege.

For other service which uses VPC e.g. RDS, it is not possible.

[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html

sudo
  • 2,237
  • 1
  • 9
  • 14
1

Here, you don`t want to give the permission to ec2 inside one VPC. So, you should consider vpc as a condition and resource as ec2.

Look at the code below - 

{
  "Effect": "Deny",
  "Action": "ec2:*",
  "Resource": "arn:aws:ec2:region:account:subnet/*",
    "Condition": {
     "StringEquals": {
        "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
        }
   }
}

Explanation - Here we are denying the permissions to ec2 which are under a specific vpc. Here I have added subnet in ec2, it is optional. You may add if required.

Arora20
  • 983
  • 10
  • 17
  • ty, that indeed prevents the user from creating a new instance but unfortunately he is still able to shutdown and terminate instances. – kev Sep 06 '17 at 07:09
  • When we mentioning ec2.*, how it will enable terminate and shutdown permission? – Arora20 Sep 06 '17 at 08:05
  • I want users to *not* be able to do *anything* in that VPC. – kev Sep 06 '17 at 08:08
  • @kev You mean All the resources. Not only EC2? – Arora20 Sep 06 '17 at 08:31
  • I mean all resources - not matter what - within that VPC. – kev Sep 06 '17 at 08:32
  • 1
    StopInstances , RebootInstances and TerminateInstances does not support "ec2:Vpc" condition (and can only accept instance ids as resource). So the condition block does not work here. – sudo Sep 06 '17 at 21:32