Versions Compared

Old Version 11

changes.mady.by.user Paul Allen

Saved on

compared with

New Version Current

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note

Please note a better and more modern approach detailed here: AWS Tagging and IAM Policies

Scenario


Excerpt

Allow a set of target users to login to the AWS console, and allow them to stop or start only their EC2 instances, based on tag values of the instances.

Table of Contents


...

First Pass Solution

...

  1. Create a new role as in Creating Custom Roles to use With Shibboleth
    1. Name the role "shib-example2".
    2. Create the corresponding AD group and add target users as members.
  2. Add the following inline policy to the new role:

    1. Custom JSON for the policy: 

      Code Block
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/TargetRole": "example2"
                }
            }
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Effect" : "Allow",
            "Action" : "ec2:Describe*",
            "Resource" : "*"
        },
    ]
}


  3. Label EC2 instances with "TargetRole" tag according to which role should be allowed access to each instance. In order to allow users from the "shib-example2" role to stop/start an instance, give the instance the following tag:
    1. "TargetRole" = "example2"

...

...