Amazon Elastic Compute Cloud
User Guide (API Version 2014-06-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Controlling Access to Amazon EC2 Resources

Your security credentials identify you to services in AWS and grant you unlimited use of your AWS resources, such as your Amazon EC2 resources. You can use features of Amazon EC2 and AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your Amazon EC2 resources without sharing your security credentials. You can choose to allow full use or limited use of your Amazon EC2 resources.

Network Access to Your Instance

A security group acts as a firewall that controls the traffic allowed to reach one or more instances. When you launch an instance, you assign it one or more security groups. You add rules to each security group that control traffic for the instance. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances to which the security group is assigned.

For more information, see Authorizing Inbound Traffic for Your Instances.

Amazon EC2 Permission Attributes

Your organization might have multiple AWS accounts. Amazon EC2 enables you to specify additional AWS accounts that can use your Amazon Machine Images (AMIs) and Amazon EBS snapshots. These permissions work at the AWS account level only; you can't restrict permissions for specific users within the specified AWS account. All users in the AWS account that you've specified can use the AMI or snapshot.

Each AMI has a LaunchPermission attribute that controls which AWS accounts can access the AMI. For more information, see Making an AMI Public.

Each Amazon EBS snapshot has a createVolumePermission attribute that controls which AWS accounts can use the snapshot. For more information, see Sharing Snapshots.

IAM and Amazon EC2

IAM enables you to do the following:

  • Create users and groups under your AWS account

  • Assign unique security credentials to each user under your AWS account

  • Control each user's permissions to perform tasks using AWS resources

  • Allow the users in another AWS account to share your AWS resources

  • Create roles for your AWS account and define the users or services that can assume them

  • Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources

By using IAM with Amazon EC2, you can control whether users in your organization can perform a task using specific Amazon EC2 API actions and whether they can use specific AWS resources.

This topic helps you answer the following questions:

  • How do I create groups and users in IAM?

  • How do I create a policy?

  • What IAM policies do I need to carry out tasks in Amazon EC2?

  • How do I grant permissions to perform actions in Amazon EC2?

  • How do I grant permissions to perform actions on specific resources in Amazon EC2?

Creating an IAM Group and Users

To create an IAM group and users

  1. Open the IAM console.

  2. From the dashboard, click Create a New Group of Users.

  3. On the GROUP NAME page, specify the name of the group.

  4. On the PERMISSIONS page, specify the policies for the group. You can select a policy template or create custom policies. For example, for Amazon EC2, one of the following policy templates might meet your needs:

    • Power User Access

    • Read Only Access

    • Amazon EC2 Full Access

    • Amazon EC2 Read Only Access

    For more information about creating custom policies, see IAM Policies for Amazon EC2.

  5. On the USERS page, enter one or more user names. If the users will use the CLI or API, select Generate an access key for each User. Click Continue.

  6. If you had IAM generate access keys, click Download Credentials or Show User Security Credentials and save the access keys. As indicated on the dialog box, this is your only chance to retrieve and save your secret access key.

  7. If the users will use the console, click Users in the navigation pane and do the following for each user:

    1. Select the user.

    2. Click the Security Credentials tab in the details pane.

    3. Under Sign-In Credentials, click Manage Password.

    4. In the Manage Password dialog box, select an option and click Apply.

    5. Click Download Credentials or Show User Security Credentials and save the password.

  8. Give each user his or her credentials (access keys and password); this enables them to use services based on the permissions you specified for the IAM group.

For more information about IAM, see the following: