AWS - Allowing user to start and stop an EC2 instance

7,461

Solution 1

This one works well for me. Pls note I added some quite useful (from my standpoint) actions, of course feel free to remove them if not needed:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:361111111111:instance/i-0e411111111111111"
        }
    ]
}

Here 361111111111 is the Account ID as you see in the account Settings, i-0e411111111111111 is exactly the instance ID, should start with i-, can be found at the left topmost row at the description tab of the instance.

Please note the region is without availability zone.

For curious people: I tried to limit ec2:Describe* actions to arn:aws:ec2:us-east-1:361111111111:instance/*, but this does not work. I removed the rightmost parts until it works, and turns out that "*" works only.

Solution 2

Trying Putnik's suggestion did not work for me, nor did something like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [ "ec2:*" ],
            "Resource": "*"
        ]
}

I could not start nor stop EC2 instances, with Stopped instances transitioning briefly into Pending status before ending back into Stopped with a rather unhelpful Client.InternalError message.

However, adding PassRole into my policy worked.

https://aws.amazon.com/blogs/security/granting-permission-to-launch-ec2-instances-with-iam-roles-passrole-permission/

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [ "ec2:Describe*" ],
            "Resource": [ "*" ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:361111111111:instance/i-0e411111111111111"
            ],
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*"
        }
    ]
}
Share:
7,461

Related videos on Youtube

Carlos Sánchez
Author by

Carlos Sánchez

Linux & Windows System Administrator VMWare. Scripting. Monitoring. AWS. Apache. Tomcat.

Updated on September 18, 2022

Comments

  • Carlos Sánchez
    Carlos Sánchez over 1 year

    I'm in trouble creating an IAM policy to an specific user to grant privileges to start and stop EC2 instance.

    I had tried several ways but I cant find the errors.

    This is my policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1468227127000",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1468227157000",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": [
                "arn:aws:ec2:region:user:instance/instance-ID"
            ]
        }
    ]
    

    }

    As I have read, I am unabled to describe only one instance, in the first part I describe all my ec2 instances and it works, but in the second part I allow the user to start and stop one instance, but I can't start it.

    • Putnik
      Putnik over 7 years
      Just to be clear: do you want the user to start/stop specific instance only or something else?
    • Carlos Sánchez
      Carlos Sánchez over 7 years
      Exactly. That is what i want.
    • Bazze
      Bazze over 7 years
      I see you have "user" in your ARN, did you mean "account"? It should be the account ID.
    • Carlos Sánchez
      Carlos Sánchez over 7 years
      That is the user created in the IAM Resources.
    • Bazze
      Bazze over 7 years
      Well, the policy should be attached to the user but the resource ARN present in the policy should include the account ID and not the user. You are setting a policy for a resource in your account, in this case an EC2 instance. Maybe I'm misunderstanding you? @CarlosSánchez