IAM policy to restrict access to one VPC
You most likely need to recompose your IAM Policy along the lines of Example 5. Launching instances into a specific VPC within Controlling Access to Amazon VPC Resources:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:region:account:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
}
}
},
...
]
}
That is, the available resources (and their granularity) are specific to each API action, so for the example at hand RunInstances applies to EC2 resources in a specific subnet, and that in turn is part of a VPC; accordingly you need to target the subnets but can further constrain the set of possible subnets by means of their ec2:Vpc
attribute via IAM Policy Conditions as outlined above.
Satie Sharma
Updated on September 18, 2022Comments
-
Satie Sharma over 1 year
I am trying to restrict users to a single VPC. I went through Controlling Access to Amazon VPC Resources and came up with the following policy but it does not work. Can someone point out the errors in it?
I should mention that IAM Policy Simulator seems to think the policy is fine after I set the VPC ARN under condition keys in simulation settings.
(I have replaced the region, account and vpc-id with actual values in my policy.)
Thanks.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:*Vpc*", "ec2:*Subnet*", "ec2:*Gateway*", "ec2:*Vpn*", "ec2:*Route*", "ec2:*Address*", "ec2:*SecurityGroup*", "ec2:*NetworkAcl*", "ec2:*DhcpOptions*", "ec2:RunInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances", "ec2:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-id" } } } ] }