Amazon Elastic Compute Cloud
User Guide (API Version 2012-05-01)
AWS Documentation » Amazon EC2 » User Guide » Using AWS Identity and Access Management
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Using AWS Identity and Access Management

Topics

This section provides an introduction to using AWS Identity and Access Management with Amazon EC2.

Identity and Access Management

AWS Identity and Access Management (IAM) is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2 and the AWS Management Console. With IAM, you can centrally manage users, security credentials, such as access key, and permissions that control which AWS resources users can access. For more information on AWS Identity and Access Management, go to Using IAM.

Amazon EC2 Permissions

Amazon EC2 has its own permissions system that covers Amazon Machine Images (AMIs) and Amazon EBS snapshots. There's no ACL system or policy system to give permissions to launch AMIs or create volumes from snapshots. Instead, the Amazon EC2 API lets you modify the attributes on an AMI or snapshot to give another AWS Account those permissions. The following diagram illustrates the concept. Each AMI has a LaunchPermission attribute that you can set to one or more AWS Account IDs in order to share the AMI with those AWS Accounts. Each Amazon EBS snapshot has a similar VolumePermission attribute.

EC2 attributes for granting permission to AMIs and snapshots

This sharing works at the AWS Account level only; you can't restrict access only to specific users within the AWS Account you're sharing, or only to specific users in your own AWS Account. All users in the AWS Account you're sharing with can use the AMI or snapshot you've shared.

[Note]Note

Don't be confused by the fact that the attribute for specifying the AWS Account to share with is called UserId. The value you specify for UserId is an AWS Account ID.

For information on modifying attributes on an AMI, see Sharing AMIs. For information on modifying attributes on a snapshot, see Modifying Snapshot Permissions

Amazon EC2 Permissions and AWS Identity and Access Management (IAM)

Using IAM with Amazon EC2 doesn't change how you use the Amazon EC2 API to share AMIs and snapshots with other AWS Accounts. However, you can use IAM policies to specify which Amazon EC2 actions a user in your AWS Account can use with EC2 resources in general. You can't specify a particular Amazon EC2 resource in the policy (e.g,. a specific AMI). Instead, you must specify * as the resource to indicate all resources in the AWS Account.

Example 1: Creating a permission policy

You could create a policy that gives the Developers group permission to use only RunInstances, StopInstances, StartInstances, TerminateInstances, and DescribeInstances. They could then use those with any AMI that belongs to your AWS Account, any public AMIs, or any AMIs that have been shared with your AWS Account. The following diagram illustrates the concept.

Basic IAM policy for EC2

[Important]Important

Amazon EC2 uses SSH keys, Windows passwords, and security groups to control who has access to specific Amazon EC2 instances. You can't use the IAM system to allow or deny access to a specific instance.

Example 2: Setting LaunchPermission

This example builds on the previous one. In addition to the IAM policy attached to the Developers group, you set the LaunchPermission attribute on the AMI in your AWS Account with ID ami-12345678 so that two other AWS Accounts can launch the AMI. Anyone possessing the keys for either of those AWS Accounts can launch an instance of the AMI. Also, any user in the Developers group can launch an instance of that AMI, because the Developers group has permission to use RunInstances with any AMI in the AWS Account.

Basic IAM policy for EC2 plus launch permission attribute set

For examples of IAM policies that cover Amazon EC2 actions, see Example Policies for Amazon EC2. For more information about granting permissions to AMIs and snapshots, refer to the topics about the ModifyImageAttribute and ModifySnapshotAttribute APIs in the Amazon Elastic Compute Cloud API Reference.

No Amazon Resource Names(ARNs) for Amazon EC2

Amazon EC2 has no Amazon Resource Names (ARNs) because you can t specify a particular Amazon EC2 resource in an IAM policy. When writing a policy to control access to Amazon EC2 actions, you use * as the resource. For more information about ARNs, see Identifiers For IAM Entities.

Amazon EC2 Actions

In an IAM policy, you can specify any and all actions that Amazon EC2 offers. Each action name must be prefixed with the lowercase string ec2:. For example: ec2:RunInstances, ec2:CreateImage, ec2:* (for all Amazon EC2 actions). For a list of the actions, refer to the Query API or SOAP API action names in the Amazon Elastic Compute Cloud API Reference.

Amazon EC2 Keys

Amazon EC2 implements the following policy keys:

AWS-Wide Policy Keys

  • aws:CurrentTime (for date/time conditions)

  • aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions)

  • aws:SecureTransport (Boolean representing whether the request was sent using SSL)

  • aws:SourceIp (the requester's IP address, for use with IP address conditions)

  • aws:UserAgent (information about the requester's client application, for use with string conditions)

If you use aws:SourceIp, and the request comes from an Amazon EC2 instance, we evaluate the instance's public IP address to determine if access is allowed.

For services that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport key has no meaning.

The key names are case insensitive. For example, aws:CurrentTime is equivalent to AWS:currenttime.

Example Policies for Amazon EC2

This section shows several simple policies for controlling user access to Amazon EC2.

[Note]Note

In the future, Amazon EC2 might add new actions that should logically be included in one of the following policies, based on the policy’s stated goals.

Example 1: Allow a group to only be able to describe, run, stop, start, and terminate instances

In this example, we create a policy that gives access to the relevant actions and attach it to the group. The resource is stated as "*", because you can't specify a particular Amazon EC2 resource in an IAM policy.

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["ec2:DescribeInstances","ec2:RunInstances",
                "ec2:StopInstances","ec2:StartInstances",
                "ec2:TerminateInstances"],
      "Resource":"*"
      }
   ]
}

Example 2: Allow managers to only be able to list the current Amazon EC2 resources in the AWS Account

In this example, we create a policy that lets managers use the Amazon EC2 actions with Describe in the name. 

{
   "Statement":[{
      "Effect":"Allow",
      "Action":"ec2:Describe*",
      "Resource":"*"
      }
   ]
}

Example 3: Share an AMI with a partner

You can't use IAM policies to share a particular AMI with a partner; however, you can do that directly through the Amazon EC2 API. The partner needs his or her own AWS Account. You simply use the Amazon EC2 ModifyImageAttribute action or ec2-modify-image-attribute command to specify the AWS Account ID you want to share the AMI with. For more information about ModifyImageAttribute, go to the Amazon Elastic Compute Cloud API Reference. For more information about ec2-modify-image-attribute, go to the Amazon Elastic Compute Cloud Command Line Reference.


Using Temporary Security Credentials

In addition to creating IAM users with their own security credentials, IAM also enables you to grant temporary security credentials to any user allowing this user to access your AWS services and resources. You can manage users who have AWS accounts; these users are IAM users. You can also manage users for your system who do not have AWS accounts; these users are called federated users. Additionally, "users" can also be applications that you create to access your AWS resources.

You can use these temporary security credentials in making requests to Amazon EC2. The API libraries compute the necessary signature value using those credentials to authenticate your request. If you send requests using expired credentials Amazon EC2 denies the request.

For more information about IAM support for temporary security credentials, go to Granting Temporary Access to Your AWS Resources in Using IAM.

Example Using Temporary Security Credentials to Authenticate an Amazon EC2 Request

The following example demonstrates how to obtain temporary security credentials to authenticate an Amazon EC2 request. 

https://ec2.amazonaws.com/?Action=DescribeInstances
&InstanceId.0=I-45fa2e72
&Signature=Dqlp3Sd6ljTUA9Uf6SGtEExwUQEXAMPLE
&SignatureVersion=2
&SignatureMethod=HmacSHA256
&Timestamp=2010-03-31T12%3A00%3A00.000Z
&SecurityToken=Security Token Value
&AWSAccessKeyId=Access Key ID provided by AWS Security Token Service

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...