AWS has provided the ability to implement fine-grained access control using attributes (such as ResourceTags) for serveral years now.
Recently I had the need to provide access to certain EC2 instances and was really hoping that I didn’t have to list all EC2 instances for attribute access to work.
Unfortunately after a lot of trial and error I couldn’t make it work, and ended up with the following policy, deployed via Control Tower/SSO using a permission set against the specific account where the EC2 instances are running.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"cloudwatch:List*",
"cloudwatch:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:ResumeSession",
"ssm:StartSession",
"ssm:TerminateSession"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ssm:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
}
]
}
The users in question were stored in the AWS SSO default managed directory, so I used the Department field to set the permissions to be able to manage the specific EC2 instances in question.
We then added a Department key to the EC2 instances and set the Department value to the same value in the SSO directory, e.g. “Operations”.
This allows the specific access and to allow seeing the status of CloudWatch alarms for this instance and to login via SSM and to start/stop the instance.