Resource level Permission for EC2

Elastic Cloud Compute has proven to be a flagship service provided by Amazon Web Service where one could allocate and use powerful computing resources (EC2 Instances) with ease. Using EC2, one can perform complex operations like allocating virtual resources for development, testing, production with few clicks. As it is rightly said, with great power comes great responsibility, managing the resources and access to the resources is a vital task. The Identity and Access Management (IAM) module enables one to securely control access to AWS services and resources for users. Using IAM, one can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.

With enterprises opting AWS as their prefered cloud service provider, a higher granularity in user permission has become the need for the hour. For example, one would not want development or testing team to have permission to make changes to production instances which needs to be accessed only by specific trusted administrators. This granularity can be achieved by using Tag based permissions in user IAM access policies. Tag is a simple user defined key-value pair attached to a instance. By default, during launching an EC2 instance, one provides value for the key “Name”. At any point of time, one can add extra Tags to an instance.

On EC2, the tag based permission is currently supported for the below actions

RebootInstances
RunInstances
StartInstances
StopInstances
TerminateInstances

Note that DescribeInstances action is not supported for tag based permission. Which means, all the IAM users would be able to view all the ec2 instances but would be able to perform operations like Start, stop, terminate, reboot on only permitted instance.

How to use Tag based resource permissions?

1. Design a tagging strategy that is best suited for your scenario. In the screenshot above, I have used Team : Dev as a Tag. The development team needs to have access to the instance and not for example testing team.

2. Create IAM users for individual team members and divide the users to groups. In this scenario, I would use “dev-team”, “testing-team”, “database-admin” as group names.

3. Now add a custom group policy to provide access to resources with specific tag and apply the policy. Below is an example IAM policy document for the group dev-team.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ec2:StartInstances”,
“ec2:StopInstances”,
“ec2:RebootInstances”,
“ec2:TerminateInstances”
],
“Resource”: “arn:aws:ec2:<REGION>:<ACCOUNTNUMBER>:instance/*”,
“Condition”: {
“StringEquals”: {
“ec2:ResourceTag/Team”:”Dev”
}
}
},
{
“Effect”: “Allow”,
“Action”: “ec2:DescribeInstances”,
“Resource”: “*”
}
]
}

In the above example, the condition “ResourceTag” would restrict the actions StartInstances, StopInstances, RebootInstances, TerminateInstances on instances with Tag “Team : Dev”. Also, note that the action “DescribeInstances” is provided to all the resources.

Similar tag based permission is supported by RDS, which you can give a try.