0

Can someone explain why Roles were designed by AWS to have a Principal like entire service (EC2, Lambda etc.) i.e. without the ability to associate/restrict to be assumable by a specific EC2 Instance type or a specific Lambda function - Am I missing a key AWS design concept here?

If I want to restrict a particular role to be assumable only by t2.micro EC2 instances (& no other EC2 instance family type), is this achievable in AWS? If this can be done, which permissions policy would this restriction be written?

Tried adding Condition section below to the 'Trusted Identity' policy of role but this does not work i.e. other instance types example t2.large is also able to perform actions say create a bucket (using CLI).

"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.micro"
]} }
Abhishek Palakkal Kaliyath
  • 567
  • 9
  • 23
  • 1
    https://blog.vizuri.com/limiting-allowed-aws-instance-type-with-iam-policy – error404 Feb 13 '20 at 15:18
  • 1
    Can you tell us more about your actual end-goal? What is the use-case you are wanting to implement and _why_? (For example, are you trying to limit costs by restricting what users can do on particular instance types?) – John Rotenstein Feb 14 '20 at 00:35

1 Answers1

1

No, it is not possible to put limitations in the Trust Policy.

If you only want certain IAM Roles to be used on particular instances, you would need to enforce that through the use of iam:PassRole. This is the permission that determines whether somebody has permission to pass a particular role to a service (such as an EC2 instance). Put simply: You can limit who is allowed to select an IAM Role and then trust that they know when to use it correctly.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks John - this helps very much. I dont have a particular use case here but was trying to understand those scenarios where the 'Condition' section in a Trust Policy of a role could be used for. Does the Trust Policy of a role only allow for limited conditions? - is it too restrictive when compared to conditions that can be added to an Identity based policy? - your thoughts? – Abhishek Palakkal Kaliyath Feb 14 '20 at 02:23
  • I'm not sure whether Conditions can be used in Trust Policies. Sometimes it's a matter of playing around to see what's possible (eg [amazon web services - Defining two statements for the action on an IAM role - Stack Overflow](https://stackoverflow.com/questions/60041810/defining-two-statements-for-the-action-on-an-iam-role)). It can certainly limit IAM entities that can assume roles, but it wouldn't go into anything service-specific beyond what you can do in an ARN. – John Rotenstein Feb 14 '20 at 02:46