Objective
IAM Policy
- Create EC2 Instances
- Specific Instance Type (t2.micro, t3.micro)
- Specific Region (ap-southeast-1)
- Create RDS Instances
- Specific Region (ap-southeast-1)
Create IAM User Attach the above policy.
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-southeast-1:764523291456:network-interface/*",
"arn:aws:ec2:ap-southeast-1:764523291456:volume/*",
"arn:aws:ec2:ap-southeast-1:764523291456:key-pair/*",
"arn:aws:ec2:ap-southeast-1:764523291456:security-group/*",
"arn:aws:ec2:ap-southeast-1:764523291456:subnet/subnet-*",
"arn:aws:ec2:ap-southeast-1::image/ami-*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:ap-southeast-1:764523291456:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.micro",
"t3.micro"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"rds:Describe*",
"rds:List*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:StartDBCluster",
"rds:StopDBCluster",
"rds:CreateDBCluster",
"rds:CreateDBInstance"
],
"Resource": [
"arn:aws:rds:ap-southeast-1:764523291456:db:*",
"arn:aws:rds:ap-southeast-1:764523291456:og:*",
"arn:aws:rds:ap-southeast-1:764523291456:pg:*",
"arn:aws:rds:ap-southeast-1:764523291456:subgrp:*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
}
]
}
Assign the Permission to Dev-Test
Test Result
Trying to create on N.California region.
Creating the t2.micro instance type
Trying to create c1.medium instance type in Singapore Region.
Decoding the Error using aws cloud shell
aws sts decode-authorization-message --encoded-message **{error code}**
Error code in Json format: The “allowed” field is set to false, which means the action requested (“ec2:RunInstances”) is not allowed based on the specified conditions (The EC2 instance type).
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "AIDA3EAJDUNANEJ2HMQHF",
"name": "dev-test",
"arn": "arn:aws:iam::764523291456:user/dev-test"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:ap-southeast-1:764523291456:instance/*",
"conditions": {
"items": [
{
"key": "ec2:InstanceMarketType",
"values": {
"items": [
{
"value": "on-demand"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "instance/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "764523291456"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "ap-southeast-1c"
}
]
}
},
{
"key": "ec2:ebsOptimized",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:InstanceType",
"values": {
"items": [
{
"value": "c1.medium"
}
]
}
},
{
"key": "ec2:RootDeviceType",
"values": {
"items": [
{
"value": "ebs"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "ap-southeast-1"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:InstanceID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "instance"
}
]
}
},
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "ap-southeast-1"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:ap-southeast-1:764523291456:instance/*"
}
]
}
}
]
}
}
}
:wq!