Search code examples
powershellamazon-web-servicesamazon-iamaws-powershell

AWS IAM Policy for restricting instances by associated IAM role

What I'm trying to do (continuing off on a question I asked previously: How can I filter AWS Instances by IAM role in powershell and get the private ip address of that instance?) is get the private ip addresses of instances with a specific IAM Role. And I've got a code that works perfectly:

$filter = New-Object Amazon.EC2.Model.Filter -Property @{Name = "iam-instance-profile.arn"; Value = "arn:aws:iam::123456789012:instance-profile/TestRole"} 
$ec2 = @(Get-EC2Instance -Filter $filter)
$ec2instances = $ec2.instances 
$ipaddress = $ec2instances.privateipaddress

However, now instead of doing the filter in the code, I'd like to create an IAM Policy that restricts the user to only be able to get information on the instances that have a specific IAM Role. So if they try to get-ec2instance (for example), it should only return information on the relevant instances and not all instances in the account.

This is my IAM Policy that I have:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Condition": {
                "ArnEquals": {
                    "ec2:InstanceProfile": "arn:aws:iam::12356789102:instance-profile/TestRole"
                }
            }
        }
    ]
}

However when I run get-ec2instance on Powershell, I am told that I'm not authorised to perform that action. I think that might be because get-ec2instance is only applicable to all instances but I'm not sure.

I would appreciate the help, thanks!

Solution

  • The reason for the issue is that get-ec2instance is trying to describe all of your instances including instances that doesn't have appropriate role assigned to it.

    When talking about describing EC2 instances or listing S3 buckets, you should be able to list everything, otherwise you receive a 403 error.

    I could suggest you to restrict your access with IAM for the security purpose only and continue filtering your instances using the code iteslf.

    Please let me know if it works for you.

    P. S. You may have went in a wrong way when decided to use IAM roles in order to organize your access. AWS provide a feature called "Resource tagging". The direct purpose of it is to organize your resources and apply permissions based on the structure. More information here: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-ec2-tag-permissions