2

I want to allow a script running on my EC2 instance to indicate when it is healthy to the autoscaling group. To do so, I can run the following from my script:

aws --region $AWSREGION \
  autoscaling \
  set-instance-health \
  --instance-id $(curl http://169.254.169.254/latest/meta-data/instance-id) \
  --health-status Unhealthy

Before granting any special permissions to the IAM role, I get the following error (as I'd expect):

An error occurred (AccessDenied) when calling the SetInstanceHealth operation: User: arn:aws:sts::ACCOUNTID:assumed-role/ROLENAME/i-INSTANCEID is not authorized to perform: autoscaling:SetInstanceHealth

I could add the following statement to my IAM role to get around this:

{
  "Action": [
    "autoscaling:SetInstanceHealth"
  ],
  "Effect": "Allow",
  "Resource": "*"
}

But wouldn't that allow instances in this role to set instance health on all instances (assuming they know the instance id)? I wouldn't want one compromised instance being able to take others out of their own ASGs.

pkaeding
  • 36,513
  • 30
  • 103
  • 141
  • This method might work: [Granting access to S3 resources based on role name](http://stackoverflow.com/a/35720528/174777). It also has a method for using the Instance ID.However, it is hard-coded rather than being a variable. – John Rotenstein Feb 08 '17 at 06:53

1 Answers1

0

The Supported Resource-Level Permissions documentation lists Auto Scaling group in the Resource ARN column, indicating you can restrict autoscaling:SetInstanceHealth by Resource.

The IAM Policy Simulator disagrees:

This action does not support resource-level permissions

... but I've verified the following IAM policy permits finding members of auto-scaling groups, checking their CloudWatch metrics, and then setting instance health of members of only one auto-scaling group:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "autoscaling:SetInstanceHealth"
          ],
          "Resource": "arn:aws:autoscaling:REGION:ACCOUNT:autoScalingGroup:UUID:autoScalingGroupName/NAME"
      },
      {
          "Effect": "Allow",
          "Action": [
              "autoscaling:DescribeAutoScalingGroups",
              "cloudwatch:ListMetrics",
              "cloudwatch:GetMetricStatistics"
          ],
          "Resource": "*"
      }
  ]
}
Garth Kidd
  • 7,264
  • 5
  • 35
  • 36