Grant IAM permissions to use EC2 Instance Connect Endpoint
To create or use an EC2 Instance Connect Endpoint, you must create an IAM policy that grants your users permissions for the following:
-
Create, describe, and delete EC2 Instance Connect Endpoints
-
Use the
ec2-instance-connect:OpenTunnelaction to use EC2 Instance Connect Endpoint to connect to instances
For information about creating IAM policies, see Creating IAM policies in the IAM User Guide.
Example IAM policies for EC2 Instance Connect Endpoint
Allow users to create, describe, and delete EC2 Instance Connect Endpoints
To create an EC2 Instance Connect Endpoint, users require permissions for the following actions:
-
ec2:CreateInstanceConnectEndpoint -
ec2:CreateNetworkInterface -
ec2:CreateTags -
iam:CreateServiceLinkedRole
To describe and delete EC2 Instance Connect Endpoints, users require permissions for the following actions:
-
ec2:DescribeInstanceConnectEndpoints -
ec2:DeleteInstanceConnectEndpoint
You can create a policy that grants permission to create, describe, and delete
EC2 Instance Connect Endpoints in all subnets. Alternatively, you can restrict actions for
specified subnets only by specifying the subnet ARNs as the allowed
Resource or by using the ec2:SubnetID condition key.
You can also use the aws:ResourceTag condition key to explicitly allow
or deny endpoint creation with certain tags. For more information, see Policies
and permissions in IAM in the IAM User Guide.
Example IAM policy
In the following example IAM policy, the Resource section grants
permission to create and delete endpoints in all subnets, specified by the asterisk
(*). The ec2:Describe* API actions do not support
resource-level permissions. Therefore, the * wildcard is necessary in
the Resource element.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "GrantAllActionsInAllSubnets", "Action": [ "ec2:CreateInstanceConnectEndpoint", "ec2:DeleteInstanceConnectEndpoint", "ec2:CreateNetworkInterface", "ec2:CreateTags", "iam:CreateServiceLinkedRole" ], "Effect": "Allow", "Resource": "arn:aws:ec2:region:account-id:subnet/*" }, { "Action": [ "ec2:CreateNetworkInterface" ], "Effect": "Allow", "Resource": "arn:aws:ec2:::security-group/*" }, { "Sid": "DescribeInstanceConnectEndpoints", "Action": [ "ec2:DescribeInstanceConnectEndpoints" ], "Effect": "Allow", "Resource": "*" } ] }
Allow users to use EC2 Instance Connect Endpoint to connect to instances
The ec2-instance-connect:OpenTunnel action grants permission to
establish a TCP connection to an instance to connect over the EC2 Instance Connect Endpoint. You
can specify the EC2 Instance Connect Endpoint to use. Alternatively, a Resource with
an asterisk (*) allows users to use any available EC2 Instance Connect Endpoint. You
can also restrict access to instances based on the presence or absence of resource
tags as condition keys.
Conditions
-
ec2-instance-connect:remotePort– Specifies the port on the instance that can be used to establish a TCP connection. When this condition key is used, attempting to connect to an instance on any other port other than the port specified in the policy results in a failure. -
ec2-instance-connect:privateIpAddress– Specifies the destination private IP address associated with the instance that you want to establish a TCP connection with. You can specify a single IP address, such as10.0.0.1/32, or a range of IPs through CIDRs, such as10.0.1.0/28. When this condition key is used, attempting to connect to an instance with a different private IP address or outside the CIDR range results in a failure. -
ec2-instance-connect:maxTunnelDuration– Specifies the maximum duration for an established TCP connection. The unit is seconds and the duration ranges from a minimum of 1 second to a maximum of 3,600 seconds (1 hour). If the condition is not specified, the default duration is set to 3,600 seconds (1 hour). Attempting to connect to an instance for longer than the specified duration in the IAM policy or for longer than the default maximum results in a failure. The connection is disconnected after the specified duration.If
maxTunnelDurationis specified in the IAM policy and the value specified is less than 3,600 seconds (the default), then you must specify--max-tunnel-durationin the command when connecting to an instance. For information about how to connect to an instance, see Connect using EC2 Instance Connect Endpoint to a Linux instance.
A user can also be granted access to establish connections to instances based on the presence of resource tags on the EC2 Instance Connect Endpoint. For more information, see Policies and permissions in IAM in the IAM User Guide.
The ec2-instance-connect:SendSSHPublicKey action grants permission to
push the public key to an instance. The ec2:osuser condition specifies
the name of the OS (operating system) user that can push the public key to an
instance. Use the default
user name for the AMI that you used to launch the instance. For more
information, see Grant IAM permissions for
EC2 Instance Connect.
Example IAM policy
The following example IAM policy allows an IAM principal to connect to an
instance using only the specified EC2 Instance Connect Endpoint, identified by the specified
endpoint ID eice-123456789abcdef. The connection is successfully
established only if all the conditions are satisfied, for example, if the SSH
connection is established on port 22 of the instance, if the private IP address of
the instance lies within the range of 10.0.1.0/31 (between
10.0.1.0 and 10.0.1.1), and the
maxTunnelDuration is less than or equal to 3600
seconds. The connection is disconnected after 3600 seconds (1
hour).
The ec2:Describe* API actions do not support resource-level
permissions. Therefore, the * wildcard is necessary in the
Resource element.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "EC2InstanceConnect", "Action": "ec2-instance-connect:OpenTunnel", "Effect": "Allow", "Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef", "Condition": { "NumericEquals": { "ec2-instance-connect:remotePort": "22" }, "IpAddress": { "ec2-instance-connect:privateIpAddress": "10.0.1.0/31" }, "NumericLessThanEquals": { "ec2-instance-connect:maxTunnelDuration": "3600" } } }, { "Sid": "SSHPublicKey", "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": "*", "Condition": { "StringEquals": { "ec2:osuser": "ami-username" } } }, { "Sid": "Describe", "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceConnectEndpoints" ], "Effect": "Allow", "Resource": "*" } ] }
Allow users to connect only from a specified source IP address range
The following example IAM policy allows an IAM principal to connect to an instance
on condition they are connecting from an IP address within the IP address range
specified in the policy. If the IAM principal calls OpenTunnel from an
IP address not within 192.0.2.0/24 (the example IP address range in
this policy), the response will be Access Denied. For more information,
see aws:SourceIp in the IAM User Guide.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2-instance-connect:OpenTunnel", "Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef", "Condition": { "IpAddress": { "aws:SourceIp": "192.0.2.0/24" }, "NumericEquals": { "ec2-instance-connect:remotePort": "22" } } }, { "Sid": "SSHPublicKey", "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": "*", "Condition": { "StringEquals": { "ec2:osuser": "ami-username" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceConnectEndpoints" ], "Resource": "*" } ] }
