2

I need to restrict a specific user role from performing any EC2 instance actions in public subnets across any VPC. Is there a way to achieve this by leveraging subnet tags? I know how to use EC2 Resource Tags to control access to EC2 resources like in the code snippet below but in my case I need to base it off vpc or subnet tags. Is there something like a vpc:ResourceTag condition I could leverage?

{
                "Effect" : "Allow",
                "Action" : "ec2:*",
                "Resource" : "*",
                "Condition" : {
                     "StringEquals" : {
                          "ec2:ResourceTag/UserName" : "${aws:username}"
                     }

enter image description here

gbaz
  • 409
  • 1
  • 6
  • 15

2 Answers2

0

I'm not sure what you mean by "subnet tags" but it doesn't appear that you can use IAM to restrict based on subnet type (i.e. public vs private). This makes sense since you can easily change a subnet type by adding or removing routes.

If you need to prevent some users from performing actions on some EC2 instances, use tags on the EC2 instances, and use allow or deny rules based on the tags. From the blog announcing this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances",      
        "ec2:RebootInstances",
    "ec2:TerminateInstances"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/critical":"true"
        }
      },
      "Resource": [
        "arn:aws:ec2:your_region:your_account_ID:instance/*"

      ],
      "Effect": "Deny"
    }
  ]
}

To make this a bit more secure, make sure to deny the ability to edit or remove tags!

chris
  • 36,094
  • 53
  • 157
  • 237
  • I need to restrict certain user groups from being able to create EC2 instances in public subnets. Currently, all subnets get a name tag that would indicate if the subnet is public or private as follows: subnet-CIDR-REGION-Type (ex. 10.0.4.0-ap-southeast-2-Public) – gbaz Nov 11 '17 at 11:22
  • You can replace the StringEquals with StringLike, change the "critical" to the name of your tag, and use a value that ends with public. If you are naming the tag subnet-CIDR-Region-type, rather than the value, then this will not work. – chris Nov 11 '17 at 19:43
0

@Chris Thank you for the tip it worked out for me: I used the below statement and was not able to launch an instance into my labeled public subnets

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "*public*"
                }
            },
            "Action": [
                "ec2:Run*",
                "ec2:Terminate*",
                "ec2:Cancel*",
                "ec2:Create*",
                "ec2:Delete*",
                "ec2:Modify*",
                "ec2:Start*",
                "ec2:Stop*"
            ],
            "Resource": "arn:aws:ec2:ap-southeast-2:106625493890:subnet/*",
            "Effect": "Deny",
            "Sid": "DenyInstanceActionsForPublicSubnets"
        },
gbaz
  • 409
  • 1
  • 6
  • 15