Manually Configuring IAM Permissions for EC2 and VPC Resources
This will guide us through the steps required to create custom IAM policies and attach them to users or roles to control access to various AWS resources, including EC2 instances and VPC components. To create and configure AWS IAM policies and roles to grant specific permissions for managing EC2 instances and VPC resources such as subnets, route tables, NAT gateways, and internet gateways.
Open the IAM Console:
- Navigate to Services and select IAM (Identity and Access Management) under Security, Identity, & Compliance.
Create a Custom IAM Policy:
Go to Policies in the IAM dashboard.
Click Create policy and choose the JSON tab.
Enter a JSON policy document that specifies permissions for EC2 and VPC resources. Enter following commands. And Click Review policy, name your policy (e.g., EC2_VPC_Access_Policy), and add a description if desired.
Click Create policy.
EC2 Actions:
ec2:AuthorizeSecurityGroupIngress
ec2:DescribeFastLaunchImages
ec2:DescribeInstances
ec2:CreateKeyPair
ec2:DescribeCoipPools
ec2:AttachInternetGateway
ec2:DescribePlacementGroups
ec2:UpdateSecurityGroupRuleDescriptionsIngress
ec2:AssociateRouteTable
ec2:DescribeInternetGateways
ec2:GetLaunchTemplateData
ec2:DescribeVolumeStatus
ec2:StartInstances
ec2:CreateRoute
ec2:CreateInternetGateway
ec2:DescribeVolumes
ec2:DescribeAccountAttributes
ec2:DescribeKeyPairs
ec2:DescribeNetworkAcls
ec2:DescribeRouteTables
ec2:DescribeEgressOnlyInternetGateways
ec2:DescribeCapacityReservations
ec2:ModifyVolume
ec2:UpdateSecurityGroupRuleDescriptionsEgress
ec2:DescribeLaunchTemplates
ec2:CreateTags
ec2:CreateRouteTable
ec2:RunInstances
ec2:ModifySecurityGroupRules
ec2:StopInstances
ec2:DescribeVolumeAttribute
ec2:CreateVolume
ec2:RevokeSecurityGroupIngress
ec2:GetInstanceTypesFromInstanceRequirements
ec2:CreateDefaultVpc
ec2:DescribeSecurityGroupRules
ec2:DescribeInstanceTypes
ec2:DescribeVpcEndpoints
ec2:DescribeElasticGpus
ec2:AssociateAddress
ec2:CreateSubnet
ec2:DescribeSubnets
ec2:DescribeVpnGateways
ec2:DisassociateAddress
ec2:DescribeAddresses
ec2:CreateNatGateway
ec2:CreateVpc
ec2:DescribeDhcpOptions
ec2:DescribeVpcAttribute
ec2:CreateDefaultSubnet
ec2:DescribeInstanceTypeOfferings
ec2:DescribeNetworkInterfaces
ec2:DescribeAvailabilityZones
ec2:GetSecurityGroupsForVpc
ec2:CreateSecurityGroup
ec2:ModifyInstanceAttribute
ec2:DescribeInstanceStatus
ec2:ReleaseAddress
ec2:AuthorizeSecurityGroupEgress
ec2:DescribeIamInstanceProfileAssociations
ec2:DescribeNatGateways
ec2:AllocateAddress
ec2:DescribeSecurityGroups
ec2:DescribeImages
ec2:DescribeSecurityGroupReferences
ec2:DescribeVpcs
ec2:ModifyLaunchTemplate
ec2:ApplySecurityGroupsToClientVpnTargetNetwork
ec2:DescribeStaleSecurityGroups
VPC Actions:
ec2:CreateVpc
ec2:DescribeVpcs
ec2:DescribeVpcAttribute
ec2:CreateDefaultVpc
ec2:DescribeVpcEndpoints
ec2:DescribeDhcpOptions
NAT Gateway Actions:
ec2:CreateNatGateway
ec2:DescribeNatGateways
Internet Gateway Actions:
ec2:AttachInternetGateway
ec2:DescribeInternetGateways
ec2:CreateInternetGateway
ec2:DescribeEgressOnlyInternetGateways
Elastic IP Actions:
ec2:AllocateAddress
ec2:ReleaseAddress
ec2:AssociateAddress
ec2:DisassociateAddress
Subnets Actions:
ec2:CreateSubnet
ec2:DescribeSubnets
ec2:CreateDefaultSubnet
Route Table Actions:
ec2:CreateRoute
ec2:CreateRouteTable
ec2:AssociateRouteTable
ec2:DescribeRouteTables
Create or Select an IAM User :
Navigate to Users in the IAM dashboard.
To create a new user, click Add User.
Attach the Policy to the User:
- For users, after creating the user, go to the Permissions tab, click Attach policies directly, select the custom policy you made, and complete the process.
Verify Permissions:
- For Users: Sign in as the user or use AWS CLI to test if the user has the required permissions.