Allow a set of target users to login to the AWS console, and allow them to stop or start only their EC2 instances, based on tag values of the instances. |
This solution allows a single specific user to manage an instance.
Custom JSON for the policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUser": "${aws:userid}" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" } ] } |
To get just the RoleId:
aws iam get-role --role-name shib-ec2control --query "Role.RoleId" --output text |
or, to see the entire description of the role:
aws iam get-role --role-name shib-ec2control |
This solution allows anyone who can login with a given role access to control an EC2 instance.
Custom JSON for the policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetRole": "example2" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, ] } |