Access to IAM users for EC2 Instance Connect

Question

How can I restrict the user from connecting to my Linux instance using EC2 Instance Connect?

I have tried to set policy and attach users to connect for my newly created Amazon Linux 2 instance using EC2 Instance Connect:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ec2-instance-connect:SendSSHPublicKey",
            "Resource": "arn:aws:ec2:eu-west-2:111122223333:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2-instance-connect:SendSSHPublicKey",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Owner": "Bob"
                }
            }
        }
    ]
}

But, it doesn't seem to work.

Presently the newly created instance can be accessed by everyone.

So, I want to set a policy to that particular instance that only the specified IAM users can access it and others cannot.

Is there a way to achieve this?

Answer 1

Your Deny policy is overriding your Allow policy.

Your statements are saying:

• Do not allow this user to use EC2 Instance Connect on any instance
• Allow this user to use EC2 Instance Connect on any instance with the given tag

However, Deny always beats Allow.

You could simply remove your Deny policy. This would grant permission for EC2 Instance Connect only to the tagged instances (assuming that the user has not also been given permission elsewhere).