amazon web services - limiting aws ec2 users -


is possible create sub-account or sub-user limited in can see and/or in aws based on tags example?

i have tried using policies, instances wouldn't work, because can't limit on resource level.
makes either can controll , see everything, or nothing @ all.

is there have missed?

the question scope wide. please study iam guides , play around iam policy generator condition. playing around arn allow wildcard, still need define explicit prefix/suffix wildcard values. ec2, need understand ec2 resource arn , possible need mix "condition" add restriction.

here example of using policy generator policies allow run,start , stop instance, , restrict ec2 resource tag serverx. when attach policy user, can following task. may need add further condition make sure user doesn't see instances belongs others, enforcing tag name creation yourself.

{     "version": "2012-10-17",     "statement": [         {             "sid": "stmt1462794515000",             "effect": "allow",             "action": [                 "ec2:describeinstances",                 "ec2:runinstances",                 "ec2:startinstances",                 "ec2:stopinstances"             ],             "condition": {                 "stringlike": {                     "ec2:resourcetag/name": "serverx"                 }             },             "resource": [                 "arn:aws:ec2::1234567890:instance/*"             ]         }     ] } 

you can play around aws policy simulator. reference aws inline policies , managed policies


Comments

Popular posts from this blog

wireshark - USB mapping with python -

c++ - nodejs socket.io closes connection before upgrading to websocket -

Deploying Qt Application on Android is really slow? -