Grant IAM permissions to use EC2 Instance Connect Endpoint - Amazon Elastic Compute Cloud

Grant IAM permissions to use EC2 Instance Connect Endpoint

To create or use an EC2 Instance Connect Endpoint, you must create an IAM policy that grants your users permissions for the following:

  • Create, describe, and delete EC2 Instance Connect Endpoints

  • Use the ec2-instance-connect:OpenTunnel action to use EC2 Instance Connect Endpoint to connect to instances

For information about creating IAM policies, see Creating IAM policies in the IAM User Guide.

Allow users to create, describe, and delete EC2 Instance Connect Endpoints

To create an EC2 Instance Connect Endpoint, users require permissions for the following actions:

  • ec2:CreateInstanceConnectEndpoint

  • ec2:CreateNetworkInterface

  • ec2:CreateTags

  • iam:CreateServiceLinkedRole

To describe and delete EC2 Instance Connect Endpoints, users require permissions for the following actions:

  • ec2:DescribeInstanceConnectEndpoints

  • ec2:DeleteInstanceConnectEndpoint

You can create a policy that grants permission to create, describe, and delete EC2 Instance Connect Endpoints in all subnets. Alternatively, you can restrict actions for specified subnets only by specifying the subnet ARNs as the allowed Resource or by using the ec2:SubnetID condition key. You can also use the aws:ResourceTag condition key to explicitly allow or deny endpoint creation with certain tags. For more information, see Policies and permissions in IAM in the IAM User Guide.

Example IAM policy

In the following example IAM policy, the Resource section grants permission to create and delete endpoints in all subnets, specified by the asterisk (*). The ec2:Describe* API actions do not support resource-level permissions. Therefore, the * wildcard is necessary in the Resource element.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "GrantAllActionsInAllSubnets", "Action": [ "ec2:CreateInstanceConnectEndpoint", "ec2:DeleteInstanceConnectEndpoint", "ec2:CreateNetworkInterface", "ec2:CreateTags", "iam:CreateServiceLinkedRole" ], "Effect": "Allow", "Resource": "arn:aws:ec2:region:account-id:subnet/*" }, { "Action": [ "ec2:CreateNetworkInterface" ], "Effect": "Allow", "Resource": "arn:aws:ec2:::security-group/*" }, { "Sid": "DescribeInstanceConnectEndpoints", "Action": [ "ec2:DescribeInstanceConnectEndpoints" ], "Effect": "Allow", "Resource": "*" } ] }

Allow users to use EC2 Instance Connect Endpoint to connect to instances

The ec2-instance-connect:OpenTunnel action grants permission to establish a TCP connection to an instance to connect over the EC2 Instance Connect Endpoint. You can specify the EC2 Instance Connect Endpoint to use. Alternatively, a Resource with an asterisk (*) allows users to use any available EC2 Instance Connect Endpoint. You can also restrict access to instances based on the presence or absence of resource tags as condition keys.

Conditions
  • ec2-instance-connect:remotePort – Specifies the port on the instance that can be used to establish a TCP connection. When this condition key is used, attempting to connect to an instance on any other port other than the port specified in the policy results in a failure.

  • ec2-instance-connect:privateIpAddress – Specifies the destination private IP address associated with the instance that you want to establish a TCP connection with. You can specify a single IP address, such as 10.0.0.1/32, or a range of IPs through CIDRs, such as 10.0.1.0/28. When this condition key is used, attempting to connect to an instance with a different private IP address or outside the CIDR range results in a failure.

  • ec2-instance-connect:maxTunnelDuration – Specifies the maximum duration for an established TCP connection. The unit is seconds and the duration ranges from a minimum of 1 second to a maximum of 3,600 seconds (1 hour). If the condition is not specified, the default duration is set to 3,600 seconds (1 hour). Attempting to connect to an instance for longer than the specified duration in the IAM policy or for longer than the default maximum results in a failure. The connection is disconnected after the specified duration.

    If maxTunnelDuration is specified in the IAM policy and the value specified is less than 3,600 seconds (the default), then you must specify --max-tunnel-duration in the command when connecting to an instance. For information about how to connect to an instance, see Connect using EC2 Instance Connect Endpoint to a Linux instance.

A user can also be granted access to establish connections to instances based on the presence of resource tags on the EC2 Instance Connect Endpoint. For more information, see Policies and permissions in IAM in the IAM User Guide.

The ec2-instance-connect:SendSSHPublicKey action grants permission to push the public key to an instance. The ec2:osuser condition specifies the name of the OS (operating system) user that can push the public key to an instance. Use the default user name for the AMI that you used to launch the instance. For more information, see Grant IAM permissions for EC2 Instance Connect.

Example IAM policy

The following example IAM policy allows an IAM principal to connect to an instance using only the specified EC2 Instance Connect Endpoint, identified by the specified endpoint ID eice-123456789abcdef. The connection is successfully established only if all the conditions are satisfied, for example, if the SSH connection is established on port 22 of the instance, if the private IP address of the instance lies within the range of 10.0.1.0/31 (between 10.0.1.0 and 10.0.1.1), and the maxTunnelDuration is less than or equal to 3600 seconds. The connection is disconnected after 3600 seconds (1 hour).

The ec2:Describe* API actions do not support resource-level permissions. Therefore, the * wildcard is necessary in the Resource element.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "EC2InstanceConnect", "Action": "ec2-instance-connect:OpenTunnel", "Effect": "Allow", "Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef", "Condition": { "NumericEquals": { "ec2-instance-connect:remotePort": "22" }, "IpAddress": { "ec2-instance-connect:privateIpAddress": "10.0.1.0/31" }, "NumericLessThanEquals": { "ec2-instance-connect:maxTunnelDuration": "3600" } } }, { "Sid": "SSHPublicKey", "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": "*", "Condition": { "StringEquals": { "ec2:osuser": "ami-username" } } }, { "Sid": "Describe", "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceConnectEndpoints" ], "Effect": "Allow", "Resource": "*" } ] }

Allow users to connect only from a specified source IP address range

The following example IAM policy allows an IAM principal to connect to an instance on condition they are connecting from an IP address within the IP address range specified in the policy. If the IAM principal calls OpenTunnel from an IP address not within 192.0.2.0/24 (the example IP address range in this policy), the response will be Access Denied. For more information, see aws:SourceIp in the IAM User Guide.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2-instance-connect:OpenTunnel", "Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef", "Condition": { "IpAddress": { "aws:SourceIp": "192.0.2.0/24" }, "NumericEquals": { "ec2-instance-connect:remotePort": "22" } } }, { "Sid": "SSHPublicKey", "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": "*", "Condition": { "StringEquals": { "ec2:osuser": "ami-username" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceConnectEndpoints" ], "Resource": "*" } ] }