...
Excerpt |
---|
Allow a set of target users to login to the AWS console, and allow them to stop or start only their EC2 instances, based on tag values of the instances. |
First Pass Solution - Allows specific user to manage instance
- Create a new role as in Creating Custom Roles to use With Shibboleth.
- Name the role "shib-ec2control".
- Create the corresponding AD group and add target users as members.
Attach ReadOnlyAccess managed policy to the role.- Determine the RoleId (aka PrincipalId) of the role.
- This is hard to find in the AWS Console. Use the AWS CLI instead:
To get just the RoleId:
Code Block aws iam get-role --role-name shib-ec2control --query "Role.RoleId" --output text
or, to see the entire description of the role:
Code Block aws iam get-role --role-name shib-ec2control
- A example RoleId "AROAJRGJOYWPGTTYSJNDS"
- This is hard to find in the AWS Console. Use the AWS CLI instead:
- Create a new managed IAM policy called "limit-ec2-control".
Custom JSON for the policy:
Code Block { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "arn:aws:ec2:us-east-1:YOUR_AWS_ACCOUNT_NUMBER:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUser": "${aws:userid}" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, ] }
- Attach the new policy to the newly created role. (Alternatively, add the policy to the role as an inline policy.)
- Label EC2 instances with "TargetUser" tag according to which user should be allowed access to each instance. In order to allow "pea1" to stop/start and instance, give the instance the following tag:
- "TargetUser" = "PRINCIPAL_ID_OF_ROLE:pea1@cornell.edu"AROAJRGJOYWPGTTYSJNDS:pea1@cornell.edu"
- I.e., the value should be "ROLE_ID:NETID@cornell.edu" where
- ROLE_ID is the ID of the role determined earlier.
- NETID is the Cornell netid of the user to be allowed control.
References
...