Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How can I restrict the ec2:CreateNetworkInterface permission to a VPC and/or Subnet?

I can’t find a valid way to restrict this permission. I would ideally like to restrict the permission to work in a particular VPC and/or subnet. I’m unsure where in the documentation to look & have tried numerous approaches with all failing.

My JSON is like this roughly & have tried lots of things in the resource and condition fields:

{
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:XXXXX": "*"
                }
            }
        }
}

EDIT: Key detail I missed, I am using a role with these permissions to attach to an AWS Glue job. When I restrict in the normal way, the job fails and says it doesn’t have the required permissions.

Tags:

2

Answers


  1. 0

    According to Actions, resources, and condition keys for Amazon EC2 – Service Authorization Reference, the CreateNetworkInterface Action allows a Condition of ec2:Vpc that "Filters access by the ARN of the VPC".

    There is an example policy on Amazon VPC policy examples – Amazon Virtual Private Cloud that uses it in this way:

          "Condition": {
         "ArnEquals": {
            "ec2:Vpc": "arn:aws:ec2:region:account-id:vpc/vpc-id"
         }
      }
    Login or Signup to reply.
  2. 0

    Create an IAM policy with the ec2:CreateNetworkInterface action.
    Within the policy statement, add a Condition block.
    Inside the Condition block, use the StringEqualsIfExists key with the following structure:

    "Condition": {"StringEqualsIfExists": {
"ec2:Vpc": [ "arn:aws:ec2:region:account-id:vpc/vpc-id1", "arn:aws:ec2:region:account-id:vpc/vpc-id2" ],
"ec2:Subnet": [ "arn:aws:ec2:region:account-id:subnet/subnet-id1", "arn:aws:ec2:region:account-id:subnet/subnet-id2" ]}}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search