I have an IAM user who launches a CloudFormation stack containing - EC2 Instance c - IAM Instance Profile Associated with - IAM Role
in the AWS :: CloudFormation :: Init block, the EC2 instance performs some actions that require calling some ec2 actions: * API. However, this instance should ONLY be able to invoke these actions for the instance itself.
The user who launches the stack has the right to attach only a set of predefined policies and create roles. Something like that
"CloudFormationStackLauncher": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Allows attached entity to attach and detach required policies from roles it creates.",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam:::policy/InstanceThatCanManageItself",
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole"
],
"Resource": "*"
}
]
}
}
}
So I need a definition for the InstanceThatCanManageItself policy (which must be predefined by a user with full administrator rights). Ideally, it would look like this:
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"${ec2:SourceInstanceARN}"
]
}
, , ec2: SourceInstanceARN ARN. EC2 , , , , , :
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/role" : "${aws:userid}"
}
}
}
EC2 "RoleId: InstanceId", , {aws: userid}, : http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html. , ... , ... , ResourceTag, ...
?
.