AWS EC2 IAM User Policy Error

Question

I'm trying to create a user policy which allows specific users access to only the following permissions within a specific VPC: Create Instances Start Instances Stop Instances Terminate Instances

I created and testing the policy in IAM and it works according to the Policy Simulator, however when I apply it, the user is NOT able to launch an instance. I've attached the policy and the error message below.

I appear to be missing some permissions, but not sure what since this runs successfully when using the policy simulator.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"aws-marketplace:viewSubscriptions",
"aws-marketplace:Subscribe"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassRoleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::5555555555555:role/vpc-user"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::5555555555555:instance-profile/vpc-user"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::5555555555555:instance-profile/vpc-user"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1e:5555555555555:vpc/vpc-1234abcd1"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1e:5555555555555:volume/*",
"arn:aws:ec2:us-east-1e::image/*",
"arn:aws:ec2:us-east-1e::snapshot/*",
"arn:aws:ec2:us-east-1e:5555555555555:network-interface/*",
"arn:aws:ec2:us-east-1e:5555555555555:key-pair/*",
"arn:aws:ec2:us-east-1e:5555555555555:security-group/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1e:5555555555555:vpc/vpc-1234abcd1"
}
}
}
]
}

Here is the error message (decoded using awscli)

{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":},"context":{"principal":{"id":"REDACTED","name":"USER.REDACTED","arn":"arn:aws:iam::5555555555555:user/USER.REDACTED"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:us-east-1:5555555555555:instance/*","conditions":{"items":[{"key":"ec2:Tenancy","values":{"items":}},{"key":"ec2:AvailabilityZone","values":{"items":}},{"key":"ec2:Region","values":{"items":}},{"key":"ec2:ebsOptimized","values":{"items":}},{"key":"ec2:InstanceType","values":{"items":}},{"key":"ec2:RootDeviceType","values":{"items":}}}"
}

AWS EC2 IAM User Policy Error

0 Answers0