How can I use IAM pollicies to restrict a user to only launch instances with a specific set of AMIs?

Question

I have the AMIs I want to allow tagged with the "type" tag.

Here's the policy I tried:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/type": "permitted_amis"
        }
      },
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:CreateTags"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

When I tried to launch an instance from one of those AMIs, I got permission denied.

I suspect it may be a lack of other permissions, like maybe security group relation permissions which would be required to create an EC2 instance. — Drew Khoury, Aug 16 '14 at 10:04

VladFr · Answer 1 · 2014-09-04T11:42:36.673

The problem is that you don't have ec2:RunInstances permissions any more, because you added that permission together with the condition, so it overrides - it will look for an EC2 instance with that tag; seeing that you have only "ec2:DescribeInstances" on Resource:["*"];

Add two separate statements, and specify the exact resources for each:

one for the AMI with Resource:["arn:aws:ec2:region::image/ami-*"]
one for ec2:RunInstances with Resource:["arn:aws:ec2:region:account:instance/*"]

Example: (taken from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#ex5)

The following policy allows users to launch instances using only the AMIs that have the specified tag, "department=dev", associated with them. The users can't launch instances using other AMIs because the Condition element of the first statement requires that users specify an AMI that has this tag. The users also can't launch into a subnet, as the policy does not grant permissions for the subnet and network interface resources. They can, however, launch into EC2-Classic. The second statement uses a wildcard to enable users to create instance resources, and requires users to specify the key pair project_keypair and the security group sg-1a2b3c4d. Users are still able to launch instances without a key pair.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
         "arn:aws:ec2:region::image/ami-*"
      ],
      "Condition": {
         "StringEquals": {
            "ec2:ResourceTag/department": "dev"
         }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
          "arn:aws:ec2:region:account:instance/*",
          "arn:aws:ec2:region:account:volume/*",
          "arn:aws:ec2:region:account:key-pair/project_keypair",
          "arn:aws:ec2:region:account:security-group/sg-1a2b3c4d"
         ]
      }
   ]
}

Won't that allow running any instance though? I only want to allow starting of instances from a specific set of AMIs. — fields, Sep 03 '14 at 01:41
No, because both policies apply at the same time. You are able to launch any instace with RunInstance, as per the 2nd policy in my answer, but the first one says you can only launch an AMI that has your tag. So if you try launching an Instance with an AMI that has another tag, or no tag at all, condition 1 will fail, and the action will fail in consequence. I've updated the answer with the example from the docs, to be complete. — VladFr, Sep 04 '14 at 11:40
@fields can you accept my answer? I know it's 4 years later but I believe it's still good! :) — VladFr, Jul 09 '18 at 08:41

How can I use IAM pollicies to restrict a user to only launch instances with a specific set of AMIs?

1 Answers1