Kdtyjb

What computer would be fastest for Mathematica Home Edition?

How can players take actions together that are impossible otherwise?

Stop battery usage [Ubuntu 18]

Determine whether f is a function, an injection, a surjection

Jazz greats knew nothing of modes. Why are they used to improvise on standards?

Estimate capacitor parameters

What do I do if technical issues prevent me from filing my return on time?

Cold is to Refrigerator as warm is to?

Was credit for the black hole image misattributed?

How can I make names more distinctive without making them longer?

Blender game recording at the wrong time

How does modal jazz use chord progressions?

How can I protect witches in combat who wear limited clothing?

Why does this iterative way of solving of equation work?

How to rotate it perfectly?

What can I do if my MacBook isn’t charging but already ran out?

Why don't the Weasley twins use magic outside of school if the Trace can only find the location of spells cast?

Why is "Captain Marvel" translated as male in Portugal?

Why is there no army of Iron-Mans in the MCU?

What loss function to use when labels are probabilities?

How can you insert a "times/divide" symbol similar to the "plus/minus" (±) one?

Is above average number of years spent on PhD considered a red flag in future academia or industry positions?

Why use gamma over alpha radiation?

Using "nakedly" instead of "with nothing on"

AWS IAM: Restrict Console Access to only One Instance

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

1

I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.

So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

Breakdown

1. First took all the permissions away

2. Added permission to only one instance

    {

    "Statement": [

        {

            "Effect": "Deny",

            "Action": "*",

            "Resource": "*",

            "Condition": {

                "condition": {}

            }

        },

        {

            "Effect": "Allow",

            "Action": "*",

            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",

            "Condition": {

                "condition": {}

            }

        }

    ]

}

This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.

Don't the permissions work like that? Any help would be appreciated.

amazon-web-services amazon-ec2 amazon-iam

share|improve this question

asked 1 hour ago

ServerInsightsServerInsights

1615

add a comment | 

1

I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.

So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

Breakdown

1. First took all the permissions away

2. Added permission to only one instance

    {

    "Statement": [

        {

            "Effect": "Deny",

            "Action": "*",

            "Resource": "*",

            "Condition": {

                "condition": {}

            }

        },

        {

            "Effect": "Allow",

            "Action": "*",

            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",

            "Condition": {

                "condition": {}

            }

        }

    ]

}

This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.

Don't the permissions work like that? Any help would be appreciated.

amazon-web-services amazon-ec2 amazon-iam

share|improve this question

asked 1 hour ago

ServerInsightsServerInsights

1615

add a comment | 

I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.

So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

Breakdown

1. First took all the permissions away

2. Added permission to only one instance

    {

    "Statement": [

        {

            "Effect": "Deny",

            "Action": "*",

            "Resource": "*",

            "Condition": {

                "condition": {}

            }

        },

        {

            "Effect": "Allow",

            "Action": "*",

            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",

            "Condition": {

                "condition": {}

            }

        }

    ]

}

This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.

Don't the permissions work like that? Any help would be appreciated.

amazon-web-services amazon-ec2 amazon-iam

share|improve this question

asked 1 hour ago

ServerInsightsServerInsights

1615

    {

    "Statement": [

        {

            "Effect": "Deny",

            "Action": "*",

            "Resource": "*",

            "Condition": {

                "condition": {}

            }

        },

        {

            "Effect": "Allow",

            "Action": "*",

            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",

            "Condition": {

                "condition": {}

            }

        }

    ]

}

share|improve this question

asked 1 hour ago

ServerInsightsServerInsights

1615

share|improve this question

asked 1 hour ago

ServerInsightsServerInsights

1615

asked 1 hour ago

ServerInsightsServerInsights

1615

asked 1 hour ago

ServerInsightsServerInsights

1615

2 Answers
2

active

oldest

votes

2

Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.

However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.

You may need at least ec2:DescribeInstances to get a basic half-broken list.

If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.

I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.

Hope that helps :)

share|improve this answer

answered 1 hour ago

MLuMLu

9,78722445

add a comment | 

0

You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"

This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information

share|improve this answer

answered 1 hour ago

Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

2631213

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963055%2faws-iam-restrict-console-access-to-only-one-instance%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2

Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.

However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.

You may need at least ec2:DescribeInstances to get a basic half-broken list.

If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.

I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.

Hope that helps :)

share|improve this answer

answered 1 hour ago

MLuMLu

9,78722445

add a comment | 

2

Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.

However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.

You may need at least ec2:DescribeInstances to get a basic half-broken list.

If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.

I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.

Hope that helps :)

share|improve this answer

answered 1 hour ago

MLuMLu

9,78722445

add a comment | 

Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.

However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.

You may need at least ec2:DescribeInstances to get a basic half-broken list.

If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.

I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.

Hope that helps :)

share|improve this answer

answered 1 hour ago

MLuMLu

9,78722445

share|improve this answer

answered 1 hour ago

MLuMLu

9,78722445

answered 1 hour ago

MLuMLu

9,78722445

answered 1 hour ago

MLuMLu

9,78722445

0

You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"

This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information

share|improve this answer

answered 1 hour ago

Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

2631213

add a comment | 

0

You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"

This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information

share|improve this answer

answered 1 hour ago

Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

2631213

add a comment | 

You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"

This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information

share|improve this answer

answered 1 hour ago

Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

2631213

share|improve this answer

answered 1 hour ago

Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

2631213

answered 1 hour ago

Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

2631213

answered 1 hour ago

Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

2631213