AWS IAM policy to restrict access to specific ec2 instances via ec2-instance-connect

Question

I am creating a IAM policy to grant access to third party developers so that they can connect to EC2 instances in private subnet via ec2-instance-connect.

The developers should only connect to specific instances via ec2-connect. How I can implement the policy?

My policy is below:

AWSTemplateFormatVersion: 2010-09-09
Description: Template for API functionality xxxxx
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Environment basic parameters
        Parameters:
          - Env
          - AccountID
    ParameterLabels:
      Env:
        default: Environment ID
      AccountID:
        default: Account ID
Parameters:
  Env:
    Description: Unique environment.
    Type: String
    Default: lab
  AccountID:
    Description: Account ID.
    Type: String
    Default: 11113333444455
Resources:
  SiteManagementRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub 'Role-${Env}'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: default
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AccountID}:root'
            Action: 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: !Sub 'Policy-${Env}'
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: VisualEditor0
                Effect: Allow
                Action:
                  - 'ec2-instance-connect:SendSSHPublicKey'
                Resource: '*'
              - Sid: VisualEditor1
                Effect: Allow
                Action:
                  - 'ec2:DescribeImages'
                  - 'ec2:DescribeInstances'
                  - 'ec2:DescribeTags'
                  - 'ec2:DescribeInstanceAttribute'
                  - 'ec2:DescribeInstanceTypes'
                  - 'ec2:DescribeInstanceStatus'
                Resource: '*'
                # Condition:
                #   StringEquals:
                #     'ec2:ResourceTag/Env': !Sub '${Env}'
              - Sid: VisualEditor2
                Effect: Allow
                Action:
                  - 'logs:ListTagsLogGroup'
                  - 'logs:GetLogRecord'
                  - 'logs:DescribeLogGroups'
                  - 'logs:DescribeLogStreams'
                  - 'logs:StartQuery'
                  - 'logs:StopQuery'
                  - 'logs:TestMetricFilter'
                  - 'logs:GetLogDelivery'
                  - 'logs:GetQueryResults'
                  - 'logs:GetLogEvents'
                  - 'logs:FilterLogEvents'
                  - 'logs:GetLogGroupFields'
                Resource: '*'

I need to appy access restriction based on tags but there should be better way to do this which will restrict developers to connect to specific instances.

Here :

Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*' <---I dont want it to be *

Please help.

Thanks in advance

Answer 1

From Set Up EC2 Instance Connect - Amazon Elastic Compute Cloud:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "ec2-instance-connect:SendSSHPublicKey",
        "Resource": [
            "arn:aws:ec2:region:account-id:instance/i-1234567890abcdef0",
            "arn:aws:ec2:region:account-id:instance/i-0598c7d356eba48d7"
        ],
        "Condition": {
            "StringEquals": {
                "ec2:osuser": "ami-username"
            }
        }
      }
    ]
}

The above policy will restrict access to specific instances and specific usernames. I'm not sure if the instances can be identified by Tag. You'll need to do some experimenting.