7

I have a regular EC2 instance with an elastic IP. The few times the instance has been stopped, I've just manually re-associated the IP with it via the AWS Management console. I'm now thinking about migrating it to a spot instance, which means I want a way of automatically re-associating it the IP on startup if/when the machine is shutdown due to being priced out of the market. How to achieve this is well described in numerous places (e.g here).

My question is:

Like many people with this problem, I'm wary of putting my AWS credentials file on the instance itself. I have a vague memory of seeing something about it being possible to create additional keys with more limited permissions, but am having trouble finding any concrete details. So: is it possible to create a key which I can happily put on the machine knowing it can be used for little more than an ec2-associate-instance (but not login to other instances, or generally running riot with my AWS account), and how would I actually achieve this ?

Community
  • 1
timday
  • 856
  • 1
  • 10
  • 24

2 Answers2

9

This is indeed possible by means of AWS Identity and Access Management (IAM), which enables you to securely control access to AWS services and resources for your users (facilitating IAM instead of the main account credentials for everyday AWS usage is nowadays highly recommended accordingly).

Amongst several others, IAM enables the following use case:

Fine-grained access control to your AWS resources: IAM enables you to control access to AWS service APIs and to specific resources. IAM also enables you to add specific conditions to control how a user can use AWS, such as time of day, their originating IP address, or whether they are using SSL.

The respective granularity varies between the available AWS services (it tends to get increased over time), but fortunately granularity for the EC2 API is high and what you are looking for is readily available - for example, you might want to check out the recommended AWS Policy Generator, select type IAM Policy and service Amazon EC2, which will allow you to select action AssociateAddress in turn.

Consequently you should be able to achieve your goal by creating a dedicated IAM user for the task at hand, crafting an IAM policy essentially limited to AssociateAddress (maybe DisassociateAddress as well) and assigning this policy to the IAM user - e.g. the policy might look like this:

{
  "Statement": [
    {
      "Action": [
        "ec2:AssociateAddress",
        "ec2:DisassociateAddress"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
Steffen Opel
  • 5,560
  • 35
  • 55
  • Aha, that's exactly what I was looking for. Thanks. – timday Mar 12 '12 at 00:50
  • 2
    I've been looking at this and was hoping to limit access to only a particular elastic IP. I haven't found an ARN syntax for an EIP. Anything I'm missing? – Dan Pritts Oct 27 '16 at 18:11
  • 1
    I found the EIP ARN, but no dice @DanPritts. For example: `arn:aws:ec2:us-east-1:555555555555:eip-allocation/eipalloc-1da111aa"` – anapsix Sep 11 '17 at 16:05
  • 1
    I also wanted to restrict the action to a single EIP, but it seems AssociateAddress action does not support any condition keys. More info here: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html – SoftwareFactor Jun 07 '20 at 16:19
0

This is supported based on the document here. Make sure that you have the TAGs on the instance and the interface if you have 2 interfaces.

Ade
  • 1
  • Links may expire in the future. So, please try to summarize what's mentioned in a link and then provide the actual link as a reference. Please see https://serverfault.com/help/how-to-answer . – Pothi Kalimuthu Jul 01 '21 at 06:26