Amazon IAM policies are Deny by default, which is not identical to Explicit Deny, see The Difference Between Denying by Default and Explicit Deny for details.
Accordingly, the observed behavior wouldn't be possible by default, so there must be another policy in place for this user explicitly granting the undesired actions like ec2:RunInstances
. You have the following options to remedy this:
Identify/Remove Explicit Allow
You can analyze which policy grants the undesired actions by means of the excellent new AWS Identity and Access Management Policy Simulator, which is utterly helpful for issues like this.
Add Explicit Deny
You can add an explicit deny for those actions the user shouldn't be able to perform , e.g.:
{
"Statement": [
{
"Action": [
"ec2:RebootInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
Please note that the latter would still allow quite some other EC2 actions that you might not want, so a more complete approach to explicitly deny all but the desired ones would be to facilitate the NotAction:
The NotAction element lets you specify an exception to a list of actions. For example, you can use NotAction to let users use only the Amazon SQS SendMessage action, without having to list all the actions that the user is not allowed to perform. Using NotAction can sometimes result in shorter policies than using an Action element and listing many actions.
- Warning: Please be aware that it is easy to restrict more than you intend and even lock yourself out when using
NotAction
for an explicitDeny
- always make sure theResource
statement is only targeting the desired resources. For example, simply using the common wildcard*
instead of a more specific resource selector likearn:aws:ec2:*:*:*
boils down to 'deny all but these actions for every service' - for the example at hand this would include the ability to delete the erroneous policy again! This is best avoided by carefully simulating the policy upfront.
A resp. policy might look like this:
{
"Statement": [
{
"NotAction": [
"ec2:Describe*"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:*:*:*"
}
]
}