...
- Create a new role as in Creating Custom Roles to use With Shibboleth.
- Name the role "shib-ec2control".
- Create the corresponding AD group and add target users as members.
- Attach ReadOnlyAccess managed policy to the role.
- Determine the RoleId (aka PrincipalId) of the role.
- This is hard to find in the AWS Console. Use the AWS CLI instead:
To get just the RoleId:
Code Block aws iam get-role --role-name shib-ec2control --query "Role.RoleId" --output text
or, to see the entire description of the role:
Code Block aws iam get-role --role-name shib-ec2control
- A example RoleId "AROAJRGJOYWPGTTYSJNDS"
- This is hard to find in the AWS Console. Use the AWS CLI instead:
- Create a new managed IAM policy called "limit-ec2-control".
Custom JSON for the policy:
Code Block { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "arn:aws:ec2:us-east-1:YOUR_AWS_ACCOUNT_NUMBER:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUser": "${aws:userid}" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "arn:aws:ec2:us-east-1:225162606092YOUR_AWS_ACCOUNT_NUMBER:instance/*" } ] }
- Attach the new policy to the newly created role.
- Label EC2 instances with "TargetUser" tag according to which user should be allowed access to each instance. In order to allow "pea1" to stop/start and instance, give the instance the following tag:
- "TargetUser" = "PRINCIPAL_ID_OF_ROLE:pea1@cornell.edu".
...