AWS IAM: allow IAM user to change EC2 instance type only

Question 1

I’m trying to write a policy that would allow a group of users to change the instance type of any instance, but no other attributes.

I currently have:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1471613026000",
            "Effect": "Allow",
            "Action": [
                "ec2:ModifyInstanceAttribute"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1471613026000",

"Effect": "Allow",

"Action": [

"ec2:ModifyInstanceAttribute"

],

"Resource": [

"*"

]

}

]

}

but this would allow them to change any of the instances’ attributes. Is there a way to restrict this to allow changing the instanceType attribute only?

Question 2

You can limit what attribute can be edited with a conditional:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1471613026000",
            "Effect": "Allow",
            "Action": [
                "ec2:ModifyInstanceAttribute"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:Attribute": "InstanceType"
                }
            }
        }
    ]
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1471613026000",

"Effect": "Allow",

"Action": [

"ec2:ModifyInstanceAttribute"

],

"Resource": [

"*"

],

"Condition": {

"StringEquals": {

"ec2:Attribute": "InstanceType"

}

]

}

EC2 policy docs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#amazon-ec2-keys

AWS IAM: allow IAM user to change EC2 instance type only

Question:

Answer:

Leave a Reply Cancel reply