Restricted EC2 Access Policies in AWS

Often, in an effort to speed up development, AWS admins will grant broader access to services than is needed. As an example, to enable developers to quickly spin instances up, one is granted the EC2FullAccess policy

Broad EC2 Access

AmazonEC2FullAccess is always an option.

"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]

This is dangerous. It contains ec2:AssociateIamInstanceProfile as part of the permission set.

In this case the user can attach (almost) any role, including administrative roles to any EC2 instance!
They can also access any EBS disk and add any public key to the authorized_keys file.
User can have access to instances with admin privileges to IAM service and even create a user with an administrator policy

The correct option is to restrict EC2 access by creating a restricted custom policy

Granular / Restricted EC2 Access

The solution is to restrict the policies that are attached to the group (as a first step, define an IAM Group - e.g. EC2Developers). Attach only the following policies to this group:

Launch instance
Start/Stop instance 
Modify instance type
Modify EBS properties
Create EC2 Tags
Create snapshots
Terminate instance

In a similar fashion. restrict access to other AWS services.

Need a hands on AWS DevOps Consultant?

Set up a 1 on 1 appointment with Anuj to assist with your cloud journey

No Comments Yet

Leave a Reply Cancel reply