Versions Compared

Old Version 5

changes.mady.by.user Paul Allen

Saved on

compared with

New Version 6

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

Allow a set of target users to login to the AWS console, and allow them to stop or start only their EC2 instances, based on tag values of the instances.


First Pass Solution - Allows specific user to manage instance

  1. Create a new role as in Creating Custom Roles to use With Shibboleth
    1. Name the role "shib-ec2control".
    2. Create the corresponding AD group and add target users as members.
  2. Attach ReadOnlyAccess managed policy to the role.
  3. Determine the RoleId (aka PrincipalId) of the role.
    1. This is hard to find in the AWS Console. Use the AWS CLI instead:

      1. To get just the RoleId:

        Code Block
        aws iam get-role --role-name shib-ec2control --query "Role.RoleId" --output text

        or, to see the entire description of the role:

        Code Block
        aws iam get-role --role-name shib-ec2control
      2. A example RoleId "AROAJRGJOYWPGTTYSJNDS"
  4. Create a new managed IAM policy called "limit-ec2-control".

    1. Custom JSON for the policy: 

      Code Block
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:us-east-1:YOUR_AWS_ACCOUNT_NUMBER:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/TargetUser": "${aws:userid}"
                }
            }
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Effect" : "Allow",
            "Action" : "ec2:Describe*",
            "Resource" : "*"
        },
    ]
}
  5. Attach the new policy to the newly created role. (Alternatively, add the policy to the role as an inline policy.)
  6. Label EC2 instances with "TargetUser" tag according to which user should be allowed access to each instance. In order to allow "pea1" to stop/start and instance, give the instance the following tag:
    1. "TargetUser" = "PRINCIPAL_ID_OF_ROLE:pea1@cornell.edu"AROAJRGJOYWPGTTYSJNDS:pea1@cornell.edu"
    2. I.e., the value should be "ROLE_ID:NETID@cornell.edu" where 
      1. ROLE_ID is the ID of the role determined earlier.
      2. NETID is the Cornell netid of the user to be allowed control.

 

References

...