AWS - Allowing user to start and stop an EC2 instance
Solution 1
This one works well for me. Pls note I added some quite useful (from my standpoint) actions, of course feel free to remove them if not needed:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1:361111111111:instance/i-0e411111111111111"
}
]
}
Here 361111111111
is the Account ID as you see in the account Settings,
i-0e411111111111111
is exactly the instance ID, should start with i-
, can be found at the left topmost row at the description tab of the instance.
Please note the region is without availability zone.
For curious people: I tried to limit ec2:Describe*
actions to arn:aws:ec2:us-east-1:361111111111:instance/*
, but this does not work. I removed the rightmost parts until it works, and turns out that "*"
works only.
Solution 2
Trying Putnik's suggestion did not work for me, nor did something like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "ec2:*" ],
"Resource": "*"
]
}
I could not start nor stop EC2 instances, with Stopped instances transitioning briefly into Pending status before ending back into Stopped with a rather unhelpful Client.InternalError
message.
However, adding PassRole
into my policy worked.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [ "ec2:Describe*" ],
"Resource": [ "*" ],
"Effect": "Allow"
},
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:361111111111:instance/i-0e411111111111111"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
Related videos on Youtube
Carlos Sánchez
Linux & Windows System Administrator VMWare. Scripting. Monitoring. AWS. Apache. Tomcat.
Updated on September 18, 2022Comments
-
Carlos Sánchez over 1 year
I'm in trouble creating an IAM policy to an specific user to grant privileges to start and stop EC2 instance.
I had tried several ways but I cant find the errors.
This is my policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1468227127000", "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": [ "*" ] }, { "Sid": "Stmt1468227157000", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Resource": [ "arn:aws:ec2:region:user:instance/instance-ID" ] } ]
}
As I have read, I am unabled to describe only one instance, in the first part I describe all my ec2 instances and it works, but in the second part I allow the user to start and stop one instance, but I can't start it.
-
Putnik over 7 yearsJust to be clear: do you want the user to start/stop specific instance only or something else?
-
Carlos Sánchez over 7 yearsExactly. That is what i want.
-
Bazze over 7 yearsI see you have "user" in your ARN, did you mean "account"? It should be the account ID.
-
Carlos Sánchez over 7 yearsThat is the user created in the IAM Resources.
-
Bazze over 7 yearsWell, the policy should be attached to the user but the resource ARN present in the policy should include the account ID and not the user. You are setting a policy for a resource in your account, in this case an EC2 instance. Maybe I'm misunderstanding you? @CarlosSánchez
-