Only allow launch/start/stop/terminate of EC2 instances of a particular Instance Type

Question

While launching on-demand instance from AWS I'm getting the following error:

An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. With some Encoded authorization failure message.

But I'm unable to replicate the actual issue from the response as the decoded JSON message has an empty failure object although I'm able to launch spot-instance from the same IAM Policy.

  "allowed": false,
  "explicitDeny": false,
  "matchedStatements": {
    "items": []
  },
  "failures": {
    "items": []
  },
  "context": {
    "principal": {
      "id": "XXXXXXXXXXXXXXXXXXXX",
      "name": "user_name",
      "arn": "arn:aws:iam::account_id:user/user_name"
    },
    "action": "ec2:RunInstances",
    "resource": "arn:aws:ec2:us-east-1:account_id:instance/*",
    "conditions": {
      "items": [
        {
          "key": "ec2:InstanceMarketType",
          "values": {
            "items": [
              {
                "value": "on-demand"
              }
            ]
          }
        },
        {
          "key": "aws:Resource",
          "values": {
            "items": [
              {
                "value": "instance/*"
              }
            ]
          }
        },
        {
          "key": "aws:Account",
          "values": {
            "items": [
              {
                "value": "account_id"
              }
            ]
          }
        },
        {
          "key": "ec2:AvailabilityZone",
          "values": {
            "items": [
              {
                "value": "us-east-1a"
              }
            ]
          }
        },
        {
          "key": "ec2:ebsOptimized",
          "values": {
            "items": [
              {
                "value": "false"
              }
            ]
          }
        },
        {
          "key": "ec2:IsLaunchTemplateResource",
          "values": {
            "items": [
              {
                "value": "false"
              }
            ]
          }
        },
        {
          "key": "ec2:InstanceType",
          "values": {
            "items": [
              {
                "value": "m1.medium"
              }
            ]
          }
        },
        {
          "key": "ec2:RootDeviceType",
          "values": {
            "items": [
              {
                "value": "ebs"
              }
            ]
          }
        },
        {
          "key": "aws:Region",
          "values": {
            "items": [
              {
                "value": "us-east-1"
              }
            ]
          }
        },
        {
          "key": "aws:Service",
          "values": {
            "items": [
              {
                "value": "ec2"
              }
            ]
          }
        },
        {
          "key": "ec2:InstanceID",
          "values": {
            "items": [
              {
                "value": "*"
              }
            ]
          }
        },
        {
          "key": "aws:Type",
          "values": {
            "items": [
              {
                "value": "instance"
              }
            ]
          }
        },
        {
          "key": "ec2:Tenancy",
          "values": {
            "items": [
              {
                "value": "default"
              }
            ]
          }
        },
        {
          "key": "ec2:Region",
          "values": {
            "items": [
              {
                "value": "us-east-1"
              }
            ]
          }
        },
        {
          "key": "aws:ARN",
          "values": {
            "items": [
              {
                "value": "arn:aws:ec2:us-east-1:account_id:instance/*"
              }
            ]
          }
        }
      ]
    }
  }
}```


**Below is my IAM Policy** 

```{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:account_id:instance/m*,t*",
            "Condition": {
                "StringLike": {
                    "ec2:InstanceType": [
                        "m*",
                        "t*"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/ami-*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:us-east-1:account_id:instance/m*,t*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:network-interface/*"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:InstanceType": [
                        "m*",
                        "t*"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "arn:aws:ec2:us-east-1:account_id:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:InstanceType": [
                        "m*",
                        "t*"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:PurchaseReservedInstancesOffering",
                "ec2:DescribeAvailabilityZones",
                "ec2:EnableEbsEncryptionByDefault",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeReservedInstances",
                "ec2:ModifyReservedInstances"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": [
        "ec2:ModifyVolumeAttribute",
        "ec2:DescribeInstances",
        "ec2:GetEbsEncryptionByDefault",
        "ec2:ExportClientVpnClientConfiguration",
        "ec2:GetHostReservationPurchasePreview",
        "ec2:DeleteVolume",
        "ec2:GetLaunchTemplateData",
        "ec2:SearchTransitGatewayRoutes",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes",
        "ec2:GetEbsDefaultKmsKeyId",
        "ec2:DetachVolume",
        "ec2:ModifyVolume",
        "ec2:GetTransitGatewayAttachmentPropagations",
        "ec2:GetReservedInstancesExchangeQuote",
        "ec2:DescribeVolumeAttribute",
        "ec2:CreateVolume",
        "ec2:GetPasswordData",
        "ec2:GetTransitGatewayRouteTablePropagations",
        "ec2:AttachVolume",
        "ec2:PurchaseReservedInstancesOffering",
        "ec2:RequestSpotInstances",
        "ec2:GetCapacityReservationUsage",
        "ec2:ExportClientVpnClientCertificateRevocationList",
        "ec2:CreateSecurityGroup",
        "ec2:GetTransitGatewayRouteTableAssociations",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeTags",
        "ec2:ImportSnapshot",
        "sts:*",
        "ec2:Describe*",
        "ec2:GetConsole*",
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor5",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor6",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags",
                "ec2:GetConsoleScreenshot"
            ],
            "Resource": "*"
        }
    ]
}```

along with IAM all readonly permissions

Can you show us the IAM policy that you think should grant the permission to launch the instance (but failed)? — John Rotenstein, Oct 04 '19 at 01:36
Thanks for your response @JohnRotenstein I have added the policy above. — Abhishek Mishra, Oct 04 '19 at 09:12
I would suggest that you debug the policy by removing bits until it works. For example, try removing the Condition for `RunInstances`. Also, this line look unusual: `arn:aws:ec2:us-east-1:account_id:instance/m*,t*` — I've never seen a comma used to provide multiple values. (It might work, I'm just saying that I've never seen it before.) Therefore, you might want to try removing that. In fact, I'm not sure what the line is meant to be doing. — John Rotenstein, Oct 04 '19 at 13:03
Thanks, @JohnRotenstein Let me try after doing these changes Will update you soon — Abhishek Mishra, Oct 04 '19 at 14:05
On removing condition for RunInstances, It's working fine but then how it was working for spot-instances and how can I restrict a user to launch some particular instance type only? — Abhishek Mishra, Oct 04 '19 at 15:36
With the knowledge you now have, can you please state what you are trying to achieve? For example, it might be "Allow a specific user to launch an EC2 instance in the M or T family". That would be easier than trying to debug the existing (long) policy. — John Rotenstein, Oct 04 '19 at 23:31
@JohnRotenstein Yes, you are correct. I'm trying to create an IAM policy that will allow only to launch, Start, Stop and Terminate an EC2 instance in the M family only. — Abhishek Mishra, Oct 05 '19 at 03:53

score 1 · Accepted Answer · answered Oct 05 '19 at 08:59

Here is a policy that grants permission to launch an instance in the M or T family:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "InstanceType",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StartInstances",
                "ec2:RunInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:InstanceType": [
                        "t*",
                        "m*"
                    ]
                }
            }
        },
        {
            "Sid": "Any",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:placement-group/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*::image/*"
            ]
        }
    ]
}

It is based on the example from Example Policies for Working in the Amazon EC2 Console - Amazon Elastic Compute Cloud.

After a bit of playing around, it seems that the ec2:InstanceType parameter is only relevant for the instance/* resource type.

Here's a sample CLI command that I used to test it:

aws ec2 run-instances --image-id ami-abcd1234 --security-group-id sg-abcd1234 --instance-type t2.nano

Please note that it does not grant permission to add tags or pass an IAM Role in the RunInstances command.

Yeah! It's working. Can you tell me if a policy is dependent on InstanceMarketType or not? I mean the condition for InstanceType should work for both spot-instance and On-demand instance, right? — Abhishek Mishra, Oct 05 '19 at 18:00
Yes, it looks like that value can be `spot` or `on-demand`. So, if it isn't specified, it would presumably work for both. — John Rotenstein, Oct 05 '19 at 22:28
I tried launching the instances but it looks like the InstanceType filter is not working for spot-instances although it's working as expected for on-demand instances. Any idea why? — Abhishek Mishra, Oct 05 '19 at 22:57
`RequestSpotInstances` doesn't seem to support `InstanceType` as a Condition. I suspect that when they modified `RunInstances` to also support spot, some of that old configuration carried across. — John Rotenstein, Oct 05 '19 at 23:16
Feel free to post a specific question. Somebody might be able to assist. — John Rotenstein, Oct 06 '19 at 01:12

Only allow launch/start/stop/terminate of EC2 instances of a particular Instance Type

1 Answers1

Linked