IAM policy to allow EC2 instance API access only to modify itself

Question

I'm trying to set up an app that configures my instances upon launch and I want to close down that app's API access as much as possible. My current policy is as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1388183890000",
      "Effect": "Allow",
      "Action": [
        "ec2:AssociateAddress",
        "ec2:CreateTags",
        "ec2:DescribeInstances",
        "ec2:RebootInstances"
      ],
      "Resource":"*"
    }
  ]
}

However, this allows the app to perform any of these actions on anything in EC2. Is there a way I can lock down the actions of the app on an ec2 instance to either that specific instance, or to all of the boxes that have the same IAM role?

Answer 1

Yes, you can. You need to first assign some relevant and common tags to the EC2 instances in question. And then restrict the IAM policy access only to those instances using ec2:ResourceTag/tag-key.

Check this example:

Here is the relevant code from above example:

    {
      "Effect": "Allow",
      "Action": "ec2:TerminateInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
         "StringEquals": {
            "ec2:ResourceTag/purpose": "test"
         }
      }
   }

This way, you can restrict the access to only those instances which have necessary tags.

Read more about Tagging here. Hope this helps.

Answer 2

For the instance to read its own tags you will also need the describe tags permission.

"ec2:DescribeTags"