This project demonstrates how to implement granular access control for AWS EC2 instances using Identity and Access Management (IAM) policies based on resource tags.
| Detail | Value |
|---|---|
| Goal | Secure AWS EC2 instances using IAM. |
| Services Used | IAM (Identity and Access Management), EC2 (Elastic Compute Cloud), Policy Simulator. |
| Estimated Time | 1.5 to 2 hours. |
The core of this project is a single IAM policy designed to restrict user actions based on the Environment tag of an EC2 instance.
- Allows full EC2 access (
ec2:*) only to instances taggeddevelopment. - Allows read-only access (
ec2:Describe*) to all EC2 instances. - Denies the creation or deletion of tags (
ec2:DeleteTags,ec2:CreateTags) globally.
The complete policy JSON is provided below. You should save this policy in your AWS account (e.g., named EnvironmentPolicy as seen in the screenshots) and attach it to the dev-group.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Env": "development"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": "*"
}
]
}