Note |
---|
Please note a better and more modern approach detailed here: AWS Tagging and IAM Policies |
Scenario
Excerpt |
---|
Allow a set of target users to login to the AWS console, and allow them to stop or start only their EC2 instances, based on tag values of the instances. |
Table of Contents |
---|
...
First Pass Solution
This solution allows a single specific user to manage an instance.
- Create a new role as in Creating Custom Roles to use With Shibboleth.
- Name the role "shib-ec2control".
- Create the corresponding AD group and add target users as members.
- (As described in the link, this step needs to be completed by the Cloud Team.)
- Add the following inline policy to the role.new role:
Custom JSON for the policy:
Code Block { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUser": "${aws:userid}" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" } ] }
- Determine the RoleId (aka PrincipalId) of the role.
- This is hard to find in the AWS Console. Use the AWS CLI instead:
To get just the RoleId:
Code Block aws iam get-role --role-name shib-ec2control --query "Role.RoleId" --output text
or, to see the entire description of the role:
Code Block aws iam get-role --role-name shib-ec2control
- A example RoleId "AROAJRGJOYWPGTTYSJNDS"
- This is hard to find in the AWS Console. Use the AWS CLI instead:
- Label EC2 instances with "TargetUser" tag according to which user should be allowed access to each instance. In order to allow "pea1" to stop/start an instance, give the instance the following tag:
- "TargetUser" = "AROAJRGJOYWPGTTYSJNDS:pea1@cornell.edu" The tag value should be "ROLE_ID:NETID@cornell.edu" where
- ROLE_ID is the ID of the role determined earlier.
- NETID is the Cornell netid of the user to be allowed control.
- "TargetUser" = "AROAJRGJOYWPGTTYSJNDS:pea1@cornell.edu" The tag value should be "ROLE_ID:NETID@cornell.edu" where
Alternative Solution
This solution allows anyone who can login with a given role access to control an EC2 instance.
- Create a new role as in Creating Custom Roles to use With Shibboleth.
- Name the role "shib-example2".
- Create the corresponding AD group and add target users as members.
- Add the following inline policy to the new role:
Custom JSON for the policy:
Code Block { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "arn:aws:ec2:us-east-1:YOUR_AWS_ACCOUNT_NUMBER:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUserTargetRole": "${aws:userid}"example2" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { }"Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" } ] }
- Label EC2 instances with "TargetUserTargetRole" tag according to which user role should be allowed access to each instance. In order to allow "pea1" users from the "shib-example2" role to stop/start and an instance, give the instance the following tag:
- "TargetUserTargetRole" = "PRINCIPAL_ID_OF_ROLE:pea1@cornell.edu".
- "example2"
References
...