Allow a set of target users to login to the AWS console, and allow them to stop or start only their EC2 instances, based on tag values of the instances.
To get just the RoleId:
aws iam get-role --role-name shib-ec2control --query "Role.RoleId" --output text |
or, to see the entire description of the role:
aws iam get-role --role-name shib-ec2control |
Custom JSON for the policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "arn:aws:ec2:us-east-1:YOUR_AWS_ACCOUNT_NUMBER:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUser": "${aws:userid}" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "arn:aws:ec2:us-east-1:225162606092:instance/*" } ] } |