Note |
---|
Please note a better and more modern approach detailed here: AWS Tagging and IAM Policies |
Scenario
Excerpt |
---|
Allow a set of target users to login to the AWS console, and allow them to stop or start only their EC2 instances, based on tag values of the instances. |
Table of Contents |
---|
...
First Pass Solution
...
- Create a new role as in Creating Custom Roles to use With Shibboleth.
- Name the role "shib-example2".
- Create the corresponding AD group and add target users as members.
- Add the following inline policy to the new role:
Custom JSON for the policy:
Code Block { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetRole": "example2" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, ] }
- Label EC2 instances with "TargetRole" tag according to which role should be allowed access to each instance. In order to allow users from the "shib-example2" role to stop/start an instance, give the instance the following tag:
- "TargetRole" = "example2"
...
...