IAM policy to restrict access to one VPC

amazon-web-services amazon-vpc amazon-iam
19,602

You most likely need to recompose your IAM Policy along the lines of Example 5. Launching instances into a specific VPC within Controlling Access to Amazon VPC Resources:

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:region:account:subnet/*",
        "Condition": {
         "StringEquals": {
            "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
            }
      }
   },
   ...
   ]
}

That is, the available resources (and their granularity) are specific to each API action, so for the example at hand RunInstances applies to EC2 resources in a specific subnet, and that in turn is part of a VPC; accordingly you need to target the subnets but can further constrain the set of possible subnets by means of their ec2:Vpc attribute via IAM Policy Conditions as outlined above.

Share:
19,602
Satie Sharma
Author by

Satie Sharma

Updated on September 18, 2022

Comments

  • Satie Sharma
    Satie Sharma over 1 year

    I am trying to restrict users to a single VPC. I went through Controlling Access to Amazon VPC Resources and came up with the following policy but it does not work. Can someone point out the errors in it?

    I should mention that IAM Policy Simulator seems to think the policy is fine after I set the VPC ARN under condition keys in simulation settings.

    (I have replaced the region, account and vpc-id with actual values in my policy.) 

    
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*Vpc*",
                "ec2:*Subnet*",
                "ec2:*Gateway*",
                "ec2:*Vpn*",
                "ec2:*Route*",
                "ec2:*Address*",
                "ec2:*SecurityGroup*",
                "ec2:*NetworkAcl*",
                "ec2:*DhcpOptions*",
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:StartInstances",
                "ec2:TerminateInstances",
                "ec2:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-id"
                }
            }
        }
    ]
}
    Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to use IPSec / Openswan with Amazon's Virtual Private Cloud (VPC) and EC2?
AWS RDS Writer Endpoint vs Reader Endpoint
clone AWS codecommit repo via HTTP
An error occurred: Policy document should not specify a principal
Unable to find .aws directory
Invoke an AWS lambda across regions
How do I get AWS cross-account KMS keys to work?
Attach policy to a IAM Role
Does VPC Peering Cost you in same region?
Is it possible to get the canonical user id from AWS IAM users, from the .NET API?