Page History

...

Table of Contents

...

First Pass Solution

...

This solution allows a single specific user to manage an instance.

1. Create a new role as in Creating Custom Roles to use With Shibboleth. 
   1. Name the role "shib-ec2control".
   2. Create the corresponding AD group and add target users as members.
2. Add the following inline policy to the new role:

   1. Custom JSON for the policy: 

      Code Block
      { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUser": "${aws:userid}" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, ] }

3. Determine the RoleId (aka PrincipalId) of the role.
   1. This is hard to find in the AWS Console. Use the AWS CLI instead:

      1. To get just the RoleId:

         Code Block
         aws iam get-role --role-name shib-ec2control --query "Role.RoleId" --output text

         or, to see the entire description of the role:

         Code Block
         aws iam get-role --role-name shib-ec2control

      2. A example RoleId "AROAJRGJOYWPGTTYSJNDS"
4. Label EC2 instances with "TargetUser" tag according to which user should be allowed access to each instance. In order to allow "pea1" to stop/start an instance, give the instance the following tag:
   1. "TargetUser" = "AROAJRGJOYWPGTTYSJNDS:pea1@cornell.edu" The tag value should be "ROLE_ID:NETID@cornell.edu" where 
      1. ROLE_ID is the ID of the role determined earlier.
      2. NETID is the Cornell netid of the user to be allowed control.

Alternative Solution 

This solution allows anyone who can login with a given role access to control an EC2 instance.

1. Create a new role as in Creating Custom Roles to use With Shibboleth. 
   1. Name the role "shib-example2".
   2. Create the corresponding AD group and add target users as members.
2. Add the following inline policy to the new role:
   Create a new managed IAM policy called "limit-ec2-control".

   1. Custom JSON for the policy: 

      Code Block

      { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUserTargetRole": "${aws:userid}example2" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, ] }

   Attach the new policy to the newly created role. (Alternatively, add the policy to the role as an inline policy.)
   1. Label EC2 instances with "TargetUserTargetRole" tag according to which user role should be allowed access to each instance. In order to allow "pea1" users from the "shib-example2" role to stop/start and an instance, give the instance the following tag:
      1. "TargetUserTargetRole" = "AROAJRGJOYWPGTTYSJNDS:pea1@cornell.edu"
      2. I.e., the value should be "ROLE_ID:NETID@cornell.edu" where 
         1. ROLE_ID is the ID of the role determined earlier.
         2. NETID is the Cornell netid of the user to be allowed control.

   ...

   1. 1. example2"

   References

   • https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/

   ...