Make IAM user to only start and stop a designated EC2 instance

Prerequisites

Steps

  1. Go to ‘IAM’ and click ‘Policies’ on the left menu. Click ‘Create policy’ button to make a custom policy
    policy-menu
  2. Select one of policy tools. I will select ‘Create “Your Own Policy’ for a example.
    create-policy

      • Required Actions
        • ec2:StartInstances
          • Target Resource: EC2 instance’s arn name
        • ec2:StopInstances
          • Target Resource: EC2 instance’s arn name
        • ec2:Describe*
          • Target Resource: All EC2 instances = “*”
      • Example for a policy document
        {
            "Version": "2012-10-17",
                "Statement": [
                {
                "Sid": "Stmt1501742713000",
                "Effect": "Allow",
                "Action": [
                   "ec2:StartInstances",
                   "ec2:StopInstances"
                ],
                "Resource": [
                   "arn:aws:ec2:ap-northeast-2:652050604906:instance/i-034dd11af16acf000"
                ]
                },
                {
                "Effect": "Allow",
                "Action": "ec2:Describe*",
                "Resource": [
                   "*"
                ]
                }
             ]
         }
  3. Go to https://console.aws.amazon.com/iam/home#/users and select a user
    select-iam-user
  4. Select ‘Permissions’ tab and click ‘Add Permissions’
    add-permission
  5. Click ‘Attach existing policies directly’ and select a policy that you created. Click ‘Next: Review’ and ‘Add permissions’ if nothing is problem.
    ad-permissions-select-policy.png
Advertisements