Monday, September 27, 2010

Using Policies in AWS Identity and Access Management

For a project I'm working on here at work, I wanted to create a AWS user that could only launch instances, but could not write to S3, query SDB

{
 "Statement":[ {
    "Effect":"Allow",
    "Action":["ec2:RunInstances","ec2:RebootInstances",
              "ec2:GetConsoleOutput", "ec2:DescribeInstances" ],
    "Resource":"*"
  }, {
    "Effect":"Allow",
    "Action":["ec2:StopInstances","ec2:StartInstances",
              "ec2:TerminateInstances"],
    "Resource":"*"
  }, {
    "Effect":"Allow",
    "Action":["ec2:DescribeImages"],
    "Resource":"*"
  }, {
    "Effect":"Deny",
    "NotAction":["ec2:*"],
    "Resource":"*"
  } ]
}


I had hoped that I could allow this user to create his own security groups and keypairs (for launching instances with 'ec2-run-instances --key', and that I could also allow him to modify or delete those items as well. Unfortunately, I was not able to figure out how to do this. What I had hoped I could do was something like was something like:
{
  "Effect":"Allow",
  "Action":["ec2:*SecurityGroup*"],
  "Condition" :  {
     "StringLike": {
        "ec2:groupName":"foouser*"
     }
  },
  "Resource":"*"
},
{
  "Effect":"Allow",
  "Action":["ec2:*KeyPair*"],
  "Condition" :  {
     "StringLike": {
        "ec2:keyName":"foouser*"
     }
  },
  "Resource":"*"
}

The 'keyName' is an atribute of the [Add,Delete,Describe]KeyPair API calls, and 'groupName' is an attribute of the [Add,Delete]SecurityGroups and AuthorizeSecurityGroupIngress API calls as described in the EC2 API

My goal was to limit the user ('foouser') to manipulating SecurityGroups or KeyPairs that begain with 'foouser'. This would be a clear indication to other users of the account when they came across them.

However, the 'Condition' syntax isn't as "open" as that (couldn't think of a better term for than 'open'). I can think of reasons as to why it would be difficult or undesireable to make Conditions function like I wanted, but it would have been nice.

The IAM EC2 documentation indicates that EC2 only supports the following Condition types: aws:CurrentTime aws:EpochTime aws:SecureTransport aws:SourceIp and aws:UserAgent.

It seems to me that SecurityGroups and keypairs are an essential piece of Using EC2, but it seems like these are stuck at the account level, with no ability to limit them at the user level.

Another thing that I would like to do is give the user the ability to launch / stop / start / terminate her own instances, but not other users of the account. If I truly try to use IAM to split up my account usage, say with 'Development' and 'Production' users or groups, this is essential. When I use the 'Development' user I want to be protected from an accidental reboot or terminate of a 'Production' instance.

For example, I test our Official Ubuntu images. The testing scripts launch several instances. While they're running, I'll often be doing development, and also have an instance running. I would like my 'development' work to not accidentally terminate (or otherwise affect) my test runs. As it is right now, a 'euca-describe-instances' will show me all instances in either account, just waiting for me to copy and paste wrong and terminate one.

It is quite possible that I've missed something, if so, please let me know.

No comments:

Post a Comment