IAM policy to restrict access to one VPC

amazon-web-services amazon-vpc amazon-iam

You most likely need to recompose your IAM Policy along the lines of Example 5. Launching instances into a specific VPC within Controlling Access to Amazon VPC Resources:

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:region:account:subnet/*",
        "Condition": {
         "StringEquals": {
            "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
            }
      }
   },
   ...
   ]
}

That is, the available resources (and their granularity) are specific to each API action, so for the example at hand RunInstances applies to EC2 resources in a specific subnet, and that in turn is part of a VPC; accordingly you need to target the subnets but can further constrain the set of possible subnets by means of their ec2:Vpc attribute via IAM Policy Conditions as outlined above.

Related

Pros / cons of using password-less OpenVPN client keys
"Deny Logon Locally" effects
Is there a way to script the installation of System Center Configuration Manager updates listed in Software Center?
Out-of-order chef recipes causing apt package install to fail
How to Install RVM and RUBY to the specific user in the salt-minion
Running "sudo chef-client" does not update with latest version of cookbook
Can't log in to FTP on Debian with vsftpd
Using dig axfr to perform a zone transfer from a Windows Server 2012 DNS server
Add multi monitor option to remote desktop web access
How to force active directory replication from one DC to another
Have DHCP use different scopes based on MAC address using Server 2012
in windows server 2012 - is it possible to use File Server Resource Manager to screen folders by name?