| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Controlling VPC Management
Do you want to control who can set up and manage your virtual private clouds (VPC)? Do you want to control who can do tasks such as attaching an Internet gateway or defining security groups and network ACLs? You can use AWS Identity and Access Management (IAM) to create and manage users in your account. A user is either a person or an application that needs to interact with AWS. With IAM, you can centrally manage your account's users, their security credentials such as access keys, and permissions that control which AWS resources the users can access.
For Amazon VPC and Amazon EC2, you can use IAM to control which API actions a user has access to. For example, you could create a network administrators group of users in IAM, and then give only that group the permission to call actions in the Amazon EC2 API related to VPC creation and management. Therefore, not just anyone in your organization can make changes to the layout, routing, and security in your VPC.
Note
Currently, you can't use IAM to limit a user's access to a specific Amazon EC2 or Amazon VPC resource. You can only limit users' access to individual API actions. For example, you can't use IAM to prevent a user from accessing a particular instance or security group; the IAM permission applies to all instances or security groups.
IAM uses policies in JSON format to specify permissions for users. You create a policy and then attach it to the group of users you want the permissions to apply to. The next sections show some example policies you might find useful.
Note
IAM policies control access regardless of the interface. For example, you could provide a user with a login to the AWS Management Console, and the policies for that user would control what the user can do in the console. Or, you could provide the user with AWS access keys for making API calls to AWS, and the policies would control what actions the user could call through a library or client that uses those access keys for authentication.
For detailed information about setting up users in your account, policies, and IAM, go to Using AWS Identity and Access Management.
Using AWS IAM with Amazon VPC
With IAM, you can manage groups and their access to your VPC resources programmatically using the JSON format or through the AWS Management Console. With both tools, you can create a group, such as Administrator, and grant it full access to your VPC. That group can perform a whole range of tasks such as creating and deleting VPCs and subnets, associating and disassociating route tables, and revoking security group access. Or, you can create a group with access limited to viewing a defined set of VPC resources.
This section shows you examples of IAM policies you can define using JSON and the AWS Management Console. In addition, this section also discusses what you can and cannot do, and how to work around current limitations.
Note
In the future, Amazon VPC might add new actions that should logically be included in one of the following policies, based on the policy's stated goals.
Managing a VPC
Following is an example policy you might give to a network administrator group that needs to create and manage your VPC. This policy gives the group access to API actions related to VPCs, subnets, Internet gateways, customer gateways, virtual private gateways, VPN connections, route tables, Elastic IP addresses, security groups, network ACLs, and DHCP options sets. The policy also allows the group to run, stop, start, and terminate instances. It also allows the group to list the account's resources. For a complete list of the possible actions for Amazon EC2 and Amazon VPC, go to Amazon Elastic Compute Cloud API Reference.
Note
The policy uses wildcards (e.g., *SecurityGroup*) to
specify all actions for each type of object. You could instead list each
action explicitly. If you use the wildcards, be aware that if we add new
actions whose names include any of the wildcarded strings in the policy,
the policy would automatically give the group access to those new
actions.
To manage a VPC using JSON
Use the following sample code -- replacing the * wildcard with specific actions such as "create," "delete," "describe," etc., as appropriate.
{ "Statement":[{ "Effect":"Allow", "Action":["ec2:*Vpc*", "ec2:*Subnet*", "ec2:*Gateway*", "ec2:*Vpn*", "ec2:*Route*", "ec2:*Address*", "ec2:*SecurityGroup*", "ec2:*NetworkAcl*", "ec2:*DhcpOptions*", "ec2:RunInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances", "ec2:Describe*"], "Resource":"*" } ] }
To manage a VPC using the AWS Management Console
Open the IAM console at https://console.aws.amazon.com/iam/.
In the Navigation pane, click Groups, and then select the group that you want to give full access to your VPC.
In the bottom pane, go to the Permissions tab and click Manage Policy.
In the Manage Group Permissions page, in the Policy Name drop-down menu, select AmazonVPCFullAccess and click Apply Policy.
Note
If you want only a subset of the privileges listed for the policy to apply to your users, edit the list in the Policy Document box and click Apply Policy.
Read-Only Policy for Amazon VPC
In the following policy, you are giving users permission to view the Amazon VPC console in the AWS Management Console. They can't make any changes; they can only look at information related to your VPC and its components.
To grant read-only access to your VPC using JSON
Use the following sample code to allow a group to look at information about your VPC.
{ "Statement":[{ "Effect":"Allow", "Action":["ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeInternetGateways", "ec2:DescribeCustomerGateways", "ec2:DescribeVpnGateways", "ec2:DescribeVpnConnections", "ec2:DescribeRouteTables", "ec2:DescribeAddresses", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcls", "ec2:DescribeDhcpOptions", "ec2:DescribeTags", "ec2:DescribeInstances"], "Resource":"*" } ] }
To grant read-only access to your VPC using the AWS Management Console
Open the IAM console at https://console.aws.amazon.com/iam/.
In the Navigation pane, click Groups, and then select the group that you want to give read-only access to your VPC.
In the bottom pane, go to the Permissions tab and click Manage Policy. The Manage Group Permissions page appears.
In the Policy Name drop-down menu, select AmazonVPCReadOnlyAccess and click Apply Policy.
Note
If you want only a subset of the privileges listed for the policy to apply to your users, edit the list in the Policy Document box and click Apply Policy.
Custom Policies for Amazon VPC
You can customize the access policies that can be granted to users of your VPC. In the following policy, you are assigning to a group of users permission to launch instances and list the Amazon EC2 and Amazon VPC resources that are available. This policy prevents the users from making any changes to your VPC's layout, routing, or security.
To grant launch instance privileges to your VPC using JSON
The following policy allows the group to access the desired actions, and denies the group access to any other actions. The users can launch instances, stop instances, start instances, terminate instances, and describe any of the account's resources (i.e., get a list of the resources). The second statement in the policy protects against any other policy that might grant the user access to a wide range of API actions.
Note
The following policy prevents the users from creating or attaching Amazon EBS volumes to instances, or creating snapshots of volumes. It also prevents them from associating Elastic IP addresses with the instances. If the users need those capabilities, you could add the relevant API actions to the policy.
{ "Statement":[{ "Effect":"Allow", "Action":["ec2:RunInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances", "ec2:Describe*"], "Resource":"*" }, { "Effect":"Deny", "NotAction":["ec2:RunInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances", "ec2:Describe*"], "Resource":"*" } ] }
To grant launch instance privileges to your VPC using the AWS Management Console
Open the IAM console at https://console.aws.amazon.com/iam/.
In the Navigation pane, click Groups, and then select the group that you want to give a defined set of access privileges to your VPC.
On the Permissions tab in the bottom pane, and click Manage Policy. The Manage Group Permissions page appears.
Click View Policy Templates, select Custom Policy and click Select. The Manage Group Permissions page appears.
Note
If you want only a subset of the privileges listed for the policy to apply to your users, edit the list in the Policy Document box and click Apply Policy.
Working with Current Limitations
You can use IAM policies to specify which Amazon VPC actions a User in your AWS Account can use with Amazon VPC resources in general. However, you can't specify a particular Amazon VPC resource, such as a specific VPC or subnet, in the IAM policy.
Important
Using Amazon VPC with IAM doesn't change how you use Amazon VPC. There are no changes to Amazon VPC actions, and no new Amazon VPC actions related to Users and access control.
For examples of policies that cover Amazon VPC actions, see Managing a VPC.
Amazon VPC ARNs
Amazon VPC does not use the Amazon Resource Name (ARN) format because you can't specify a particular Amazon VPC resource in an IAM policy. When writing a policy to control access to Amazon VPC actions, you use the * wildcard as the resource. For more information about ARNs, see ARNs.
Amazon VPC Actions
In an IAM policy, you can specify any actions that Amazon VPC offers.
You must prefix them with the lowercase string ec2:. For example:
ec2:CreateCustomerGateway,
ec2:*VpnGateway*, ec2:* (for all
Amazon VPC and Amazon EC2 actions). For a list of the actions, refer
to the Amazon Elastic Compute Cloud API Reference.
Amazon VPC Keys
Amazon EC2 (and thus Amazon VPC) implements the following AWS-wide policy keys, but no others. For more information about policy keys, see Available Keys.
AWS-Wide Policy Keys
aws:CurrentTime—To check for date/time conditions.aws:EpochTime—To check for date/time conditions using a date in epoch or UNIX time.aws:MultiFactorAuthAge—To check how long ago (in seconds) the MFA-validated security credentials making the request were issued using Multi-Factor Authentication (MFA). Unlike other keys, if MFA is not used, this key is not present.aws:principaltype—To check the type of principal (user, account, federated user, etc.) for the current request.aws:SecureTransport—To check whether the request was sent using SSL. For services that use only SSL, such as Amazon RDS and Amazon Route 53, theaws:SecureTransportkey has no meaning.aws:SourceArn—To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services. For more information, see Amazon Resource Name (ARN) under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)aws:SourceIp—To check the IP address of the requester. Note that if you useaws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated.aws:UserAgent—To check the client application that made the request.aws:userid—To check the user ID of the requester.aws:username—To check the user name of the requester, if available.
Note
Key names are case sensitive.
