[IGBF-4026] Design EC2 user permissions for modifying instance state and security groups - JIRA UNCC

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: None
Labels:
None

Story Points:
1
Epic Link:
Deploy and maintain infrastructure
Sprint:
Fall 7, Winter 1, Spring 1, Spring 2, Spring 3

Description

Enable AWS Admin to achieve the following functionality for users in a specific group:

Users added to the group should have permissions to perform the following actions only for EC2 instances with a specific tag:

Modify EC2 instance state (Start, Stop, and Restart)
Modify Security Groups associated with those instances

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

AWS Screenshot.png
773 kB
27/Feb/25 1:08 PM
policy_v2.json
1 kB
08/Jan/25 3:19 PM
policy.json
2 kB
07/Jan/25 3:23 PM

Issue Links

is cloned by

IGBF-4031 Investigate how to prevent AWS overspending in a developer personal account

Closed

Activity

Descending order - Click to sort in ascending order

Hide

Permalink

Ann Loraine added a comment - 27/Feb/25 3:46 PM

Thanks Pranav Bhatia!

Show

Ann Loraine added a comment - 27/Feb/25 3:46 PM Thanks Pranav Bhatia !

Hide

Permalink

Pranav Bhatia (Inactive) added a comment - 27/Feb/25 1:08 PM - edited

Tested the security group rule modifications for bioviztest20250226. Successfully added an SSH ingress rule with my current IP, and the changes saved without errors, confirming the setup is working as expected.

Attached is the screenshot for reference. !AWS

Show

Pranav Bhatia (Inactive) added a comment - 27/Feb/25 1:08 PM - edited Tested the security group rule modifications for bioviztest20250226. Successfully added an SSH ingress rule with my current IP, and the changes saved without errors, confirming the setup is working as expected. Attached is the screenshot for reference. !AWS

Hide

Permalink

Ann Loraine added a comment - 26/Feb/25 12:15 PM - edited

Manually adding the tags needed to allow developers to turn on and off, and also add or delete new security group rules, from the new host I just set up, for testing purposes.

Ready for testing.

To test:

Ensure that your Loraine Lab AWS user id belongs to group 2025-EC2Developer (ask Ann Loraine to confirm for you)
Log into the AWS console using your LoraineLab user id.
Navigate to the EC2 dashboard.
Select EC2 called bioviztest20250226
Select the security group for bioviztest20250226
Choose the option to modify / edit the ingress rules
Choose the option to add a new ingress rule for access using "ssh" and your current IP address
Choose "save"
If the "save" action completes without an error, this means the configuration is working as expected. If that happens, kindly close this ticket.

Show

Ann Loraine added a comment - 26/Feb/25 12:15 PM - edited Manually adding the tags needed to allow developers to turn on and off, and also add or delete new security group rules, from the new host I just set up, for testing purposes. Ready for testing. To test: Ensure that your Loraine Lab AWS user id belongs to group 2025-EC2Developer (ask Ann Loraine to confirm for you) Log into the AWS console using your LoraineLab user id. Navigate to the EC2 dashboard. Select EC2 called bioviztest20250226 Select the security group for bioviztest20250226 Choose the option to modify / edit the ingress rules Choose the option to add a new ingress rule for access using "ssh" and your current IP address Choose "save" If the "save" action completes without an error, this means the configuration is working as expected. If that happens, kindly close this ticket.

Hide

Permalink

Ann Loraine added a comment - 26/Feb/25 12:08 PM

The error above was due to that particular task executing before the apache web server gets installed. I moved that particular task to the end of the "apache" role, which took care of the problem.

Show

Ann Loraine added a comment - 26/Feb/25 12:08 PM The error above was due to that particular task executing before the apache web server gets installed. I moved that particular task to the end of the "apache" role, which took care of the problem.

Hide

Permalink

Ann Loraine added a comment - 26/Feb/25 11:34 AM

Made new EC2 and ran setup.yml, but got this error:

ASK [clone : Make symbolic link from cloned repository to /usr/lib/cgi-bin/geneIdLookup.py] ***
fatal: [bioviztest20250226]: FAILED! =>

Unknown macro: {"changed"}

Show

Ann Loraine added a comment - 26/Feb/25 11:34 AM Made new EC2 and ran setup.yml, but got this error: ASK [clone : Make symbolic link from cloned repository to /usr/lib/cgi-bin/geneIdLookup.py] *** fatal: [bioviztest20250226] : FAILED! => Unknown macro: {"changed"}

10 older comments

Hide

Permalink

Pranav Bhatia (Inactive) added a comment - 07/Jan/25 3:23 PM

Assuming user group has already been setup in IAM (Identity and Access Management)

Create a policy and attach the policy to a user group.

The attached JSON can be used to set policy where users can only read EC2 instances and start/stop instances that have a specific tag, such as Environment=Dev.

After applying this policy, users will only be able to start/stop/reboot instances that have the tag Environment=Dev.

Note: Please ensure that the EC2 instances have the correct tags added to them.

Show

Pranav Bhatia (Inactive) added a comment - 07/Jan/25 3:23 PM Assuming user group has already been setup in IAM (Identity and Access Management) Create a policy and attach the policy to a user group. The attached JSON can be used to set policy where users can only read EC2 instances and start/stop instances that have a specific tag, such as Environment=Dev. After applying this policy, users will only be able to start/stop/reboot instances that have the tag Environment=Dev. Note: Please ensure that the EC2 instances have the correct tags added to them.

Design EC2 user permissions for modifying instance state and security groups

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates