[SOLVED] AWS IAM EC2 policy limited to originating instance

Issue

I'm working on a setup where I need to terminate AWS instances because of inactivity (i.e. nothing new in web-server access logs since a period of time). Those instances are testing instances and are created automatically by CI/CD software.

I would like those instances to identify themselves that they become abandoned and terminate themselves. I want to assign a generic iam-role to each of them that will only allow the instance the termination of itself and not the peer instances.

So far I've been here:

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse
• https://www.reddit.com/r/aws/comments/4gglxk/iam_policy_to_allow_ec2_instance_to_only_query/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

And figured out that there are 2 variables available in policies:

ec2-instance-id
ec2:SourceInstanceARN

I came up with few variations of my role policy but none of them work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "${ec2:SourceInstanceARN}"
        }
    ]
}

Is it actually possible to achieve the desired behavior, i.e. to only allow instance to perform specific operation on itself (e.g. Termination)?

UPDATE:
I do know that I can work with tags, that is what I'm doing meanwhile, but that means that all tagged instances can terminate their peers. That is a bit too loose restriction, I'd like to really limit it to the instance it

AWS IAM: Allow EC2 instance to stop itself
IAM policy to allow EC2 instance API access only to modify itself

Solution

You were close with your condition. The trick is to compare instance ARN with ec2:sourceInstanceARN:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:TerminateInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

Clearly for testing purposes I allowed my instances with this policy to tag and stop themselves.

Answered By - Tomasz Kapłoński

Answer Checked By - David Marino (WPSolving Volunteer)