Identity and Access Management integration for EC2 Image Builder - EC2 Image Builder
AudienceAuthenticating with identitiesResource-Based Policies
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Identity and Access Management integration for EC2 Image Builder

Topics

Audience

How you use Amazon Identity and Access Management (IAM) differs, depending on the work that you do in Image Builder.

Service user – If you use the Image Builder service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more Image Builder features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in Image Builder, see Troubleshoot IAM issues in EC2 Image Builder.

Service administrator – If you're in charge of Image Builder resources at your company, you probably have full access to Image Builder. It's your job to determine which Image Builder features and resources your service users should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with Image Builder, see How EC2 Image Builder works with IAM policies and roles.

IAM administrator – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Image Builder. To view example Image Builder identity-based policies that you can use in IAM, see Image Builder identity-based policies.

Authenticating with identities

For detailed information about how to provide authentication for people and processes in your Amazon Web Services account, see Identities in the IAM User Guide.

EC2 Image Builder resource-based policies

For information about how to create a component, see Use components to customize your Image Builder image.

Restricting Image Builder component access to specific IP addresses

The following example grants permissions to any user to perform any Image Builder operations on components. However, the request must originate from the range of IP addresses specified in the condition.

The condition in this statement identifies the 54.240.143.* range of allowed Internet Protocol version 4 (IPv4) IP addresses, with one exception: 54.240.143.188.

The Condition block uses the IpAddress and NotIpAddress conditions and the aws:SourceIp condition key, which is an Amazon-wide condition key. For more information about these condition keys, see Specifying Conditions in a Policy. Theaws:sourceIp IPv4 values use the standard CIDR notation. For more information, see IP Address Condition Operators in the IAM User Guide.

{
  "Version": "2012-10-17",
  "Id": "IBPolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "imagebuilder.GetComponent:*",
      "Resource": "arn:aws-cn:imagebuilder:::examplecomponent/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}