Identity and Access Management integration for Image Builder - EC2 Image Builder

Identity and Access Management integration for Image Builder

Audience

How you use AWS Identity and Access Management (IAM) differs, depending on the work that you do in Image Builder.

Service user – If you use the Image Builder service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more Image Builder features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in Image Builder, see Troubleshoot IAM issues in Image Builder.

Service administrator – If you're in charge of Image Builder resources at your company, you probably have full access to Image Builder. It's your job to determine which Image Builder features and resources your service users should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with Image Builder, see How Image Builder works with IAM policies and roles.

IAM administrator – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Image Builder. To view example Image Builder identity-based policies that you can use in IAM, see Image Builder identity-based policies.

Authenticating with identities

For detailed information about how to provide authentication for people and processes in your AWS account, see Identities in the IAM User Guide.

Image Builder resource-based policies

For information about how to create a component, see Use components to customize your Image Builder image.

Restricting Image Builder component access to specific IP addresses

The following example grants permissions to any user to perform any Image Builder operations on components. However, the request must originate from the range of IP addresses specified in the condition.

The condition in this statement identifies the 54.240.143.* range of allowed Internet Protocol version 4 (IPv4) IP addresses, with one exception: 54.240.143.188.

The Condition block uses the IpAddress and NotIpAddress conditions and the aws:SourceIp condition key, which is an AWS-wide condition key. For more information about these condition keys, see Specifying Conditions in a Policy. Theaws:sourceIp IPv4 values use the standard CIDR notation. For more information, see IP Address Condition Operators in the IAM User Guide.

{ "Version": "2012-10-17", "Id": "IBPolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": "*", "Action": "imagebuilder.GetComponent:*", "Resource": "arn:aws:imagebuilder:::examplecomponent/*", "Condition": { "IpAddress": {"aws:SourceIp": "54.240.143.0/24"}, "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} } } ] }