Welcome to Knowledge Base!

KB at your finger tips

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Categories
All

Cloud-AWS

Create an IAM policy to control access to EC2 resources using tags

How do I create an IAM policy to control access to Amazon EC2 resources using tags?

Last updated: 2021-09-27

How do I create an AWS Identity and Access Management (IAM) policy that controls access to Amazon Elastic Compute Cloud (Amazon EC2) instances using tags?

Short description

You can control access to smaller deployments of Amazon EC2 instances as follows:

  1. Add a specific tag to the instances you want to grant the users or groups access to.
  2. Create an IAM policy that grants access to any instances with the specific tag.
  3. Attach the IAM policy to the users or groups that you want to access the instances.

Resolution

Add a tag to your group of EC2 instances

Open the Amazon EC2 console, and then add tags to the group of EC2 instances that you want the users or groups to be able to access. If you don't already have a tag, create a new tag.

Note: Be sure to read and understand the tag restrictions before tagging your resources. Amazon EC2 tags are case-sensitive.

Create an IAM policy that grants access to instances with the specific tag

Create an IAM policy that does the following:

  • Allows control over the instances with the tag.
  • Contains a conditional statement that allows access to Amazon EC2 resources if the value of the condition key ec2:ResourceTag/UserName matches the policy variable aws:username . The policy variable ${aws:username} is replaced with the friendly name of the current IAM user when the policy is evaluated by IAM.
  • Allows access to the ec2:Describe* actions for Amazon EC2 resources.
  • Explicitly denies access to the ec2:CreateTags and ec2:DeleteTags actions to prevent users from creating or deleting tags.
    Note: This prevents the user from taking control of an EC2 instance by adding the specific tag to it.

The finished policy looks similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/UserName": "${aws:username}"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Resource": "*"
    }
  ]
}

Note: This policy applies to Amazon EC2 instances that use the ec2:ResourceTag condition key. To restrict launching new Amazon EC2 instances using tags, see How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?

Attach the IAM policy to the users or groups you want to access the instances

Finally, attach the IAM policy that you created to the users or groups you want to access the instances. You can attach the IAM policy using the AWS Management Console, AWS CLI, or AWS API.


Granting IAM users required permissions for Amazon EC2 resources

IAM policies for Amazon EC2

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support

View AWS Activate promotional credits

I received an email with my AWS Activate Founders or Portfolio package information. Where do I find my AWS promotional credit?

Last updated: 2022-03-04

I received an email with my AWS Activate Founders or Portfolio package information. Where do I find my AWS promotional credit?

Resolution

If you receive an email welcoming you to AWS Activate along with benefit information, your AWS Activate Founders or Portfolio package application is approved and processed. Your AWS promotional credits are directly added to the AWS account that you specified on your application.

Check the Credits page of the Billing and Cost Management console to see your account's active credits and promotions.


Getting started with AWS Activate

AWS Activate FAQ

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Resolve issues with an AWS Business support charge for an AWS Activate portfolio package

Why was I charged for AWS Business Support when I have an AWS Activate Portfolio package?

Last updated: 2022-03-04

I was charged for my AWS Support plan, even though I signed up for an AWS Activate Portfolio package that includes a credit for AWS Business Support. How can I resolve this issue?

Resolution

If you had an AWS Support subscription other than a Business-level Support plan before you were approved for an AWS Activate Portfolio package, see AWS Premium Support FAQs, and follow the instructions in Q: How do I cancel my AWS Support subscription? to cancel your support subscription. Then, follow the instructions in the welcome email you received from the AWS Activate team.

If you can't locate the email from the AWS Activate team, or if you have questions about the AWS Activate program, then contact the AWS Activate team at AWS Activate Contact Us.


AWS Activate

AWS Support

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Sign up for an AWS Activate package

How do I sign up for an AWS Activate package?

Last updated: 2022-03-04

I'm interested in an AWS Activate package. How do I sign up?

Resolution

AWS Activate offers two packages: the Founders package and the Portfolio package.

  • The AWS Activate Founders package is available for startups that aren't associated with an AWS Activate Provider. The AWS Activate Providers include select venture capital firms, accelerators, incubators, and other startup-enabling organizations. For more information on how to qualify for the AWS Founders package, see Getting Started with AWS Activate.
  • The AWS Activate Portfolio package is available to startups that are associated with an AWS Activate Provider. For a non-exhaustive list of AWS Activate Providers, see AWS Activate Providers. You can contact your AWS Activate Provider for more information on how to qualify for the AWS Activate Portfolio package.

For more information about these packages, see AWS Activate.

Note: If you're an agency, IT shop, or a consultancy, consider the AWS Partner Network instead.


Apply for AWS Activate

AWS Activate FAQ

Redeem your AWS Promotional Credit

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Secure an API Gateway WebSocket API

How can I secure my Amazon API Gateway WebSocket API?

Last updated: 2022-11-04

I want to secure my Amazon API Gateway WebSocket API. How can I do this?

Short description

Amazon API Gateway supports the following methods for controlling and managing access to APIs:

  • AWS Identity and Access Management (IAM) authorization
  • AWS Lambda REQUEST authorizer function

Resolution

IAM authorization

For WebSocket APIs, make sure that your routes use an ARN in the following format:

arn:aws:execute-api:region:account-id:api-id/stage-name/route-key

For more information, see Using IAM authorization.

Lambda authorizer function

You can't use path variables (event.pathParameters) with Lambda authorizer functions for WebSocket APIs because the path is fixed. Make sure that the methodArn ends with "$connect" in the following format:

arn:aws:execute-api:region:account-id:api-id/stage-name/$connect

For more information, see Creating a Lambda REQUEST authorizer function.


How can I set up a custom domain name for my API Gateway API?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Troubleshoot CloudFormation stack issues in AWS Amplify

How do I troubleshoot CloudFormation stack issues in my AWS Amplify project?

Last updated: 2022-04-05

When I try to deploy my AWS Amplify application, I receive an AWS CloudFormation error similar to the following: "Resource is not in the state stackUpdateComplete". How do I troubleshoot the issue?

Short description

To troubleshoot CloudFormation stack issues in your Amplify project, first identify what's causing the issue by reviewing the following in the CloudFormation console:

  • The Status code and Status reason of the backend stack.
  • The Status , Status reason , and Logical ID values of the backend stack's recent Events .
  • The Status , Status reason , and Logical ID values of the backend stack's Resources .

Note: The Status reason value contains an error message returned by CloudFormation that identifies what's causing the error.

Then, remediate the issue based on the Status , Status reason , and Logical ID values listed in the console.

Resolution

Note: The CloudFormation stacks that Amplify provisions or updates can return errors for many reasons. The following are the most common reasons why CloudFormation stacks return errors associated with Amplify projects:

  • Misconfigurations in the associated Amplify project
  • Missing files in the associated Amplify project
  • Using an outdated version of the Amplify Command Line Interface (Amplify CLI)

Identify what's causing the issue by reviewing the stack's status codes and status reasons in the CloudFormation console

1.    Open the Amplify console.

2.    Choose the Backend environments tab. Then choose your application's backend environment.

3.    Choose the Overview tab. Then, choose View in CloudFormation . The backend environment's associated CloudFormation stack's Stack info page opens in the CloudFormation console.

4.    In the Overview pane , review the Status and Status reason values. This is the backend stack's status code Status reason .

Note: If the project's root stack is in the UPDATE_ROLLBACK_FAILED status, then follow the instructions in this article: How can I get my CloudFormation stack to update if it's stuck in the UPDATE_ROLLBACK_FAILED state?

5.    Choose the Events tab. Review the Status , Status reason , and Logical ID values for all of the recent events that are in a failed status.

Note: Make sure that you identify any events with the UPDATE_FAILED status.

6.    Choose the Resources tab. Review the Status , Status reason , and Logical ID values for all of the resources that are in a failed status.

7.    (For nested stacks only) On the Resources pane, look for resources of type AWS::CloudFormation::Stack . Then, review the Status reason values for the nested stacks that are in a failed status.

Important: When troubleshooting, ignore resources that failed with a Resource update cancelled status. This status signifies a dependent, downstream resource that didn't fail, but also wasn't updated because of another resource failure.

Remediate the issue based on the Status, Status reason, and Logical ID values listed in the console

Follow the instructions in the Amplify CLI Troubleshooting guide. For more information, you can also search for specific Status reasons in the Amplify CLI Issues page in GitHub.

Note: It's a best practice to test solutions in a nonproduction environment first.


Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article