-
-
Save omerxx/656217bb1ad177d2d7cee4ca9c5fae3a to your computer and use it in GitHub Desktop.
Consider restricting the suggested instance policy to just describing tags on itself, like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ARN": "${ec2:SourceInstanceARN}"
}
}
}
]
}
Consider restricting the suggested instance policy to just describing tags on itself, like so:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeTags", "Resource": "*", "Condition": { "StringEquals": { "aws:ARN": "${ec2:SourceInstanceARN}" } } } ] }
Better!
Thanks!
@kesor Can you share a CLI command where that policy works? When I try aws ec2 describe-tags --filters Name=resource-id,Values=<instance id>
I still get permission denied.
@kesor Can you share a CLI command where that policy works? When I try
aws ec2 describe-tags --filters Name=resource-id,Values=<instance id>
I still get permission denied.
@aidansteele The condition does not restrict which instances you can query, it restricts who can query. With the condition above, only the instance itself, when it is using an IAM role can query for ec2:DescribeTags
(for all instances in the region).
@kesor Can you share a CLI command where that policy works? When I try
aws ec2 describe-tags --filters Name=resource-id,Values=<instance id>
I still get permission denied.@aidansteele The condition does not restrict which instances you can query, it restricts who can query. With the condition above, only the instance itself, when it is using an IAM role can query for
ec2:DescribeTags
(for all instances in the region).
placeholder ${ec2:SourceInstanceARN}
will be replaced by any instance to which instance-profile will be attached. This means each instance with proper instance-profile can query. Obviously if you do not what to allow to other instances ec2:DescribeTags
permission just do not attach instance profile to them.
@kesor No, you can not restrict that action in an IAM policy...
FYI: don't lose time trying to do this.
Note: since this involves using the AWS API, you have to use proper permissions to use this script.
Since this is intended to run from an EC2 instance the right way is to use a role, this is a good policy to attach:
arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess