Manually Configuring IAM Permissions for EC2 and VPC Resources

This will guide us through the steps required to create custom IAM policies and attach them to users or roles to control access to various AWS resources, including EC2 instances and VPC components. To create and configure AWS IAM policies and roles to grant specific permissions for managing EC2 instances and VPC resources such as subnets, route tables, NAT gateways, and internet gateways.

Open the IAM Console:

  • Navigate to Services and select IAM (Identity and Access Management) under Security, Identity, & Compliance.

Create a Custom IAM Policy:

  • Go to Policies in the IAM dashboard.

  • Click Create policy and choose the JSON tab.

  • Enter a JSON policy document that specifies permissions for EC2 and VPC resources. Enter following commands. And Click Review policy, name your policy (e.g., EC2_VPC_Access_Policy), and add a description if desired.

  • Click Create policy.

EC2 Actions:

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:DescribeFastLaunchImages

  • ec2:DescribeInstances

  • ec2:CreateKeyPair

  • ec2:DescribeCoipPools

  • ec2:AttachInternetGateway

  • ec2:DescribePlacementGroups

  • ec2:UpdateSecurityGroupRuleDescriptionsIngress

  • ec2:AssociateRouteTable

  • ec2:DescribeInternetGateways

  • ec2:GetLaunchTemplateData

  • ec2:DescribeVolumeStatus

  • ec2:StartInstances

  • ec2:CreateRoute

  • ec2:CreateInternetGateway

  • ec2:DescribeVolumes

  • ec2:DescribeAccountAttributes

  • ec2:DescribeKeyPairs

  • ec2:DescribeNetworkAcls

  • ec2:DescribeRouteTables

  • ec2:DescribeEgressOnlyInternetGateways

  • ec2:DescribeCapacityReservations

  • ec2:ModifyVolume

  • ec2:UpdateSecurityGroupRuleDescriptionsEgress

  • ec2:DescribeLaunchTemplates

  • ec2:CreateTags

  • ec2:CreateRouteTable

  • ec2:RunInstances

  • ec2:ModifySecurityGroupRules

  • ec2:StopInstances

  • ec2:DescribeVolumeAttribute

  • ec2:CreateVolume

  • ec2:RevokeSecurityGroupIngress

  • ec2:GetInstanceTypesFromInstanceRequirements

  • ec2:CreateDefaultVpc

  • ec2:DescribeSecurityGroupRules

  • ec2:DescribeInstanceTypes

  • ec2:DescribeVpcEndpoints

  • ec2:DescribeElasticGpus

  • ec2:AssociateAddress

  • ec2:CreateSubnet

  • ec2:DescribeSubnets

  • ec2:DescribeVpnGateways

  • ec2:DisassociateAddress

  • ec2:DescribeAddresses

  • ec2:CreateNatGateway

  • ec2:CreateVpc

  • ec2:DescribeDhcpOptions

  • ec2:DescribeVpcAttribute

  • ec2:CreateDefaultSubnet

  • ec2:DescribeInstanceTypeOfferings

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribeAvailabilityZones

  • ec2:GetSecurityGroupsForVpc

  • ec2:CreateSecurityGroup

  • ec2:ModifyInstanceAttribute

  • ec2:DescribeInstanceStatus

  • ec2:ReleaseAddress

  • ec2:AuthorizeSecurityGroupEgress

  • ec2:DescribeIamInstanceProfileAssociations

  • ec2:DescribeNatGateways

  • ec2:AllocateAddress

  • ec2:DescribeSecurityGroups

  • ec2:DescribeImages

  • ec2:DescribeSecurityGroupReferences

  • ec2:DescribeVpcs

  • ec2:ModifyLaunchTemplate

  • ec2:ApplySecurityGroupsToClientVpnTargetNetwork

  • ec2:DescribeStaleSecurityGroups

VPC Actions:

  • ec2:CreateVpc

  • ec2:DescribeVpcs

  • ec2:DescribeVpcAttribute

  • ec2:CreateDefaultVpc

  • ec2:DescribeVpcEndpoints

  • ec2:DescribeDhcpOptions

NAT Gateway Actions:

  • ec2:CreateNatGateway

  • ec2:DescribeNatGateways

Internet Gateway Actions:

  • ec2:AttachInternetGateway

  • ec2:DescribeInternetGateways

  • ec2:CreateInternetGateway

  • ec2:DescribeEgressOnlyInternetGateways

Elastic IP Actions:

  • ec2:AllocateAddress

  • ec2:ReleaseAddress

  • ec2:AssociateAddress

  • ec2:DisassociateAddress

Subnets Actions:

  • ec2:CreateSubnet

  • ec2:DescribeSubnets

  • ec2:CreateDefaultSubnet

Route Table Actions:

  • ec2:CreateRoute

  • ec2:CreateRouteTable

  • ec2:AssociateRouteTable

  • ec2:DescribeRouteTables

Create or Select an IAM User :

  • Navigate to Users in the IAM dashboard.

  • To create a new user, click Add User.

Attach the Policy to the User:

  • For users, after creating the user, go to the Permissions tab, click Attach policies directly, select the custom policy you made, and complete the process.

Verify Permissions:

  • For Users: Sign in as the user or use AWS CLI to test if the user has the required permissions.