How to Restrict AWS Resource Access to a Specific IAM Role

0 votes

I have been trying to limit Amazon EC2 access to a specific IAM role in a Cloud Formation template. I used “Deny : NotPrincipal”, but i am getting an error saying ‘Policy document should not specify a principle’. 

Any suggestions as to how to scope AWS Resource to specific IAM role?

Jul 23, 2018 in AWS by datageek
• 2,440 points
98 views

1 answer to this question.

0 votes

You can use iam get-role to find the Role-Id and add it to the policy condition under aws:userId

aws iam get-role --role-name Test-Role

IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ec2:CopyImage",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AROAJPXXXXXJE5XOMQARS:*",
                        "AROAJPXXXXXJE5XOMQARS:*",
                        "AROAJXXXXXXV3EZVH2W5A:*",
                        "AROAJXXXXXXBH4XK552KI:*"
                    ]
                }
            }
        }
    ]
}
If you want to know more here is an article from AWS on restricting access to a role.

answered Aug 13, 2018 by Archana
• 4,090 points

Related Questions In AWS

0 votes
1 answer
+2 votes
2 answers

How do we move a domain from Hostgator to AWS Route 53?

I found this  Before transferring a domain, make ...READ MORE

answered Aug 3, 2018 in AWS by Priyaj
• 56,520 points
888 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

How to add IAM role to an existing instance in aws?

As of AWS CLI v1.11.46,  you can ...READ MORE

answered Sep 6, 2018 in AWS by Archana
• 4,090 points
104 views
0 votes
1 answer

How to set up a SPF(Sender Policy Framework) for AWS EC2 instance?

Setting up a SPF record is pretty ...READ MORE

answered Aug 16, 2018 in AWS by Archana
• 4,090 points
191 views