Skip to content

Instantly share code, notes, and snippets.

@tomvachon
Created August 16, 2017 11:16
Show Gist options
  • Save tomvachon/9d57185476c86ea2f937860b55ab3997 to your computer and use it in GitHub Desktop.
Save tomvachon/9d57185476c86ea2f937860b55ab3997 to your computer and use it in GitHub Desktop.
AWS IAM Policy for Tag Restricted EBS & EC2
Type: AWS::IAM::ManagedPolicy
Properties:
Description: AWS Policy for EC2 Instance, EBS Creation with Tagging required
PolicyDocument:
Version: "2012-10-17"
Statement:
# This allows the untaggable calls to work when RunInstances is the actor
-
Effect: Allow
Action:
- ec2:RunInstances
Resource:
- arn:aws:ec2:us-east-1::image/*
- Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:subnet/*
- Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:network-interface/*
- Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:security-group/*
- Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:key-pair/*
# This allows the user to make these two calls on their account if:
# 1) They specify assetid and it matches a parameter in the stack (tied to the role they assumed)
# 2) They specify an environment and it matches a parameter in the stack (tied to the role they assumed)
#
# If either of the above are not true, it will 403 them at the end of their workflow
-
Effect: Allow
Action:
- ec2:RunInstances
- ec2:CreateVolume
Resource:
- Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:volume/*
- Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:instance/*
Condition:
StringEquals:
aws:RequestTag/assetid:
Ref: AssetId
aws:RequestTag/environment:
Ref: AppEnv
ForAllValues:StringEquals:
aws:TagKeys:
- assetid
- environment
# This allows the createTags call from RunInstances,
# combining this with the CreateVolume call seems to be weirdly problematic
-
Effect: Allow
Action:
- ec2:CreateTags
Resource:
- Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:*/*
Condition:
StringEquals:
ec2:CreateAction:
- RunInstances
# This allows the createTags call from CreateVolume,
# combining this with the RunInstances call seems to be weirdly problematic
-
Effect: Allow
Action:
- ec2:CreateTags
Resource:
- Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:*/*
Condition:
StringEquals:
ec2:CreateAction:
- CreateVolume
# This allows similar actions on autoscaling but needs more testing
-
Effect: Allow
Action:
- autoscaling:Create*
Resource:
- "*"
Condition:
StringEquals:
aws:RequestTag/assetid:
Ref: AssetId
aws:RequestTag/environment:
Ref: AppEnv
ForAllValues:StringEquals:
aws:TagKeys:
- assetid
- environment
# This policy allows the user to create security groups with no tags
# as it does not support the hooks
-
Effect: Allow
Action:
- ec2:CreateSecurityGroup
Resource:
- "*"
# To ensure that security groups are created and tagged properly, this
# requires that the group is tagged before rules are added or revoked
-
Effect: Allow
Action:
- ec2:AuthorizeSecurityGroup*
- ec2:RevokeSecurityGroup*
Resource:
- "*"
Condition:
StringEquals:
ec2:ResourceTag/assetid:
Ref: AssetId
aws:RequestTag/environment:
Ref: AppEnv
# This rule prevents tampering with the two key'ed K/V tags used for the
# restriction. If this was not in place they would be able to change the tags
# after the fact and then they would loose access to it.
-
Effect: Deny
Action:
- ec2:CreateTags
Resource:
- "*"
Condition:
ForAllValues:StringEquals:
aws:TagKeys:
- assetid
- environment
ForAnyValue:StringNotEquals:
ec2:CreateAction:
- RunInstances
- CreateVolume
@osterman
Copy link

osterman commented Mar 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment