Running a Startup on AWS? Get Funding With AWS JumpStart. Click Here to Learn More

2021 Fillmore Street #1128

}

24/7 solutions

Christin Hume

How to create IAM roles for VPC access using IAM Groups and Roles

This comprehensive guide covers how to create IAM Roles for VPC access using IAM Groups and Roles.

Introduction

 

Using IAM with Amazon VPC requires that you first learn about the IAM features that are compatible with Amazon VPC before implementing them. See AWS Services That Integrate with IAM for a high-level overview of how Amazon VPC and other AWS services work with IAM.

You can specify authorized or denied behaviors with IAM identity-based policies. Specific actions, resources, and condition keys are supported by Amazon VPC. Amazon VPC and Amazon EC2 share an API namespace. The prefix ec2: is used before policy actions in Amazon VPC. ec2:CreateVpc, for example, is an action you can include in someone’s policy to allow them to construct a VPC using the Amazon EC2 Create Vpc API. There must be an action or a nonaction element in a policy. AWS EC2 and Amazon VPC share the same API namespace. In Amazon VPC, policy actions begin with the prefix ec2: before the actual action itself. The ec2:CreateVpc action can be included in a user’s policy to enable them access to the Amazon EC2 CreateVpc API. Action or notation must be included in every policy statement.

Resources

 

AWS JSON policies can be used by administrators to grant or deny access to specific resources. Meaning, what resources may a principal operate on and under what circumstances. Using the Resource JSON policy element, you can specify which objects should be affected by a given operation. Resources and Not Resources must be included in all statements. A good rule of thumb is to use the Amazon Resource Name when referencing a resource (ARN). These are known as “resource-level” permissions. A wildcard (*) indicates that the statement applies to all resources for actions that do not support resource-level permissions, such as listing operations.
Following is an example of a VPC ARN:

arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}

For example, to specify the vpc-1234567890abcdef0 VPC in your statement, use the ARN given below.

“Resource”: “arn:aws:ec2:us-east-1:123456789012:vpc/vpc-1234567890abcdef0”

Some Amazon VPC actions, such as resource creation, are not available for a given resource. In some circumstances, the wildcard (*) must be used. Many Amazon EC2 API activities require many resources. To define several resources in a single statement, split the ARNs with commas.

Condition Keys

Using AWS JSON policies, administrators may control who has access to what. Meaning, what resources may a principal act upon and under what circumstances?

Using the Condition element (also known as the Condition block) allows you to establish the criteria under which a statement is valid and applicable. No need to include the Condition element. To match the policy condition with values in the request, you can define conditional expressions using condition operators like equals or less than.

AWS examines several Condition elements in a statement or multiple keys in a single Condition element using a logical AND operation. AWS uses a logical OR operation to evaluate the condition if you provide multiple values for a given condition key. Before the statement’s permissions can be given, all of the requirements must be satisfied.

When defining conditions, you can make use of placeholder variables as well. A resource can only be accessed if it is tagged with the user’s IAM user name, as an example. In the IAM User Guide, you’ll find a section titled “IAM policy elements: variables and tags.” In addition to service-specific condition keys, AWS now provides global condition keys. When defining conditions, you can make use of placeholder variables as well. Only resources that are marked with the IAM user name can be granted access to IAM users. AWS supports both global condition keys and service-specific condition keys. Condition keys defined by Amazon VPC can also be used with global condition keys.

Policies based on Amazon VPC resources

This type of policy specifies the activities a given principal can do on a given Amazon VPC resource and under what circumstances.

Any IAM entities or the full account of another one can be designated as the primary in a resource-based policy so that access between the two accounts can be granted. Establishing the trust connection requires more than simply including a cross-account principal in a resource-based policy. It is necessary to allow access to the resource to the principal entity when the two are in separate AWS accounts. Attach an identity-based policy to the entity to grant it permission. There is no need for a separate identity-based policy if a resource-based policy allows access to a principal in the same account. 

Tag-Based Authorization

Amazon VPC resources can have tags attached to them or tags can be sent in a request. In order to restrict access based on tags, you use the ec2: condition element in a policy to specify tag information. Condition keys for ResourceTag, aws: RequestKey, or aws: TagKey can be found in any of these three places. See Launch instances into a specified VPC for an example of an identity-based policy for restricting access to a resource based on its tags.

Free AWS Services Template

Download list of all AWS Services PDF

Download our free PDF list of all AWS services. In this list, you will get all of the AWS services in a PDF file that contains  descriptions and links on how to get started.

Roles assigned by IAM

Using an IAM role, you can grant specialized access to your AWS account.

Temporary login credentials should be used.

Assuming an IAM role, or taking on the role of another user across many accounts is possible using temporary credentials. There are other AWS STS API actions that you may use to obtain temporary security credentials, such as AssumeRole or GetFederationToken.

Temporary credentials can be used with Amazon VPC, thanks to the service’s flexibility.

Service-related positions

In order to accomplish an action on your behalf, AWS services can access resources in other services via service-linked roles. IAM roles associated with service exist in your IAM account and are owned by the service. An IAM administrator can only view but not alter service-linked role permissions.

Transit gateways are useful for jobs that are connected to a certain service.

Service positions

Because of this functionality, a service can act on your behalf and take on the role of another service. Because you have been assigned this role, the service will be able to access resources provided by other services in order to carry out an activity on your behalf. Your IAM account will have a list of service roles, each of which is controlled by the account. This indicates that an administrator of the Identity and Access Management service (IAM) can modify the permissions for this role. However, doing so may compromise the service’s ability to perform its intended functions. Amazon VPC allows for service roles to be assigned to flow logs. When you establish a flow log, you will be prompted to select a role that governs the level of access that the flow logs service has to CloudWatch Logs. Users and roles within IAM that are not granted access to create or edit VPC resources cannot do so. In addition, they are unable to carry out operations by using the AWS Management Console, the AWS Command Line Interface, or the AWS API. An IAM administrator is required to create IAM policies that grant users and roles permission to carry out particular API operations on the particular resources that they require. After that, the administrator is required to associate such policies with the IAM users or groups that are in need of those permissions.

Policies that are based on a person’s identity are extremely effective. They decide whether a person can create Amazon VPC resources in your account, access those resources, or delete those resources. Your AWS account may be charged additional fees as a result of these actions.

  • Start Using Amazon Web Services’ Managed Policies - Utilize AWS-managed policies to delegate the necessary permissions to your staff so that they may begin utilizing Amazon VPC as quickly as possible. These policies are already accessible through your account and are kept current by AWS, which you do not need to do anything for.
  • Give the least privilege – When you are creating custom policies, be sure that you only grant the rights that are necessary to complete a given activity. Permissions should be kept to a bare minimum at first, and then extra permissions should be granted only when required. This approach provides a higher level of protection than beginning with permissions that are excessively lax and afterward working to tighten them up.
  • Enable Multi-Factor Authentication for Sensitive Operations- IAM users should be required to perform multi-factor authentication (MFA) in order to access critical resources or API operations. This provides an additional layer of protection.
  • Boost security by using policy conditions – Define the conditions under which your identity-based policies provide access to a resource, to the degree that this is possible. It is possible to specify a range of IP addresses from which a request must originate using criteria. The use of SSL or MFA, for example, may be required in order for a request to be accepted.
  • Make use of Amazon VPC- Permissions are required in order to access the Amazon VPC console.. These rights must allow you to list and access information about Amazon VPC resources in your AWS account. Identity-based policies that are more restrictive than the minimum required permissions will cause the console to behave incorrectly for entities (IAM users or roles) with those policies.

This policy allows users to view resources in the VPC console, but not to add, edit, or remove them.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeClassicLinkInstances",
                "ec2:DescribeClientVpnEndpoints",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeEgressOnlyInternetGateways",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeManagedPrefixLists",
                "ec2:DescribeMovingAddresses",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfacePermissions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeStaleSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeTrafficMirrorFilters",
                "ec2:DescribeTrafficMirrorSessions",
                "ec2:DescribeTrafficMirrorTargets",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointConnectionNotifications",
                "ec2:DescribeVpcEndpointConnections",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:DescribeVpcEndpointServices",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:GetManagedPrefixListAssociations",
                "ec2:GetManagedPrefixListEntries"
            ],
            "Resource": "*"
        }
    ]
}

Users who are just using the AWS CLI or the AWS API don’t need to be granted minimum console access rights by default. Enforce API operation matching for those users instead of allowing all other actions.
A public subnet can be added to a VPC.

VPCs, subnets, route tables, and internet gateways can all be created in the following example. Additionally, users may connect an internet gateway to their VPC and set up routes in the route tables to access the Internet. Each instance launched inside a VPC receives a DNS hostname thanks to the ec2:ModifyVpcAttribute action, which allows customers to enable DNS hostnames for their VPCs.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc", 
        "ec2:CreateSubnet", 
        "ec2:DescribeAvailabilityZones",
        "ec2:CreateRouteTable", 
        "ec2:CreateRoute", 
        "ec2:CreateInternetGateway", 
        "ec2:AttachInternetGateway", 
        "ec2:AssociateRouteTable", 
        "ec2:ModifyVpcAttribute"
      ],
      "Resource": "*"
    }
   ]
}
AWS Architect

AWS Service Business Continuity Plan

Thousands of businesses are lose an unprecedented amount of money every quarter - don’t let yours! Protect your AWS services with this FREE AWS Business Continuity Plan. Learn More

Jacob Murphy
Jacob Murphy

Jake is a writer and marketing associate for AllCode with a wealth of experience in a variety of industries.

Related Articles

Here’s Why You Should Work with an AWS Partner

Here’s Why You Should Work with an AWS Partner

Amazon Web Services is understandably a difficult platform to adapt to and utilize fully upon first getting started. Some organizations can be selected to become certified partners to indirectly extend services to help build on the Amazon Cloud. Finding a certified company to help build out is undoubtedly the best way to significantly simplify, streamline, and reduce the cost of utilizing AWS.

Amazon Web Services – CodeCatalyst

Amazon Web Services – CodeCatalyst

When a development team is building out an application, it helps to have access to the same resources, have the tools for planning and testing, and to have access to the application all in one place. CodeCatalyst comes with a slew of continuous integration/continuous development (CI/CD) tools and can leverage other AWS services and be connected to other AWS projects on an account. As a collaborative tool, it is easy to introduce new members into the project and to log all activity or all tests from a single dashboard. It’s a complete package of all the tools needed to securely work on every step of an application’s lifecycle.

The Definitive Guide to AWS Pricing

The Definitive Guide to AWS Pricing

Perhaps the biggest issue with AWS that its competitors edge out on is the confusing pricing model. It does promise the capacity to help users save significantly on funds that otherwise by avoiding spending on unnecessary resources, but getting to that point isn’t always clear. We will be covering in greater detail how this works.

Download our 10-Step Cloud Migration ChecklistYou'll get direct access to our full-length guide on Google Docs. From here, you will be able to make a copy, download the content, and share it with your team.