1

I have created an ubuntu instance in Amazon EC2. The instance has 3 project folders in the root directory:

/var/www/html/project_1
/var/www/html/project_2
/var/www/html/project_3

I would like to add an IAM user for a developer with access to only project_1 folder and not the others. The developer can connect to the folder in the instance from ssh or sftp through Filezilla or ssh client but get access to only project_1 folder.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
h4kl0rd
  • 625
  • 1
  • 10
  • 23

3 Answers3

5

You are mixing two types of authentication.

AWS IAM Users are granted permissions to make API calls to AWS services, such as launching an Amazon EC2 instance, uploading files to Amazon S3 and sending message to an Amazon SQS queue.

However, when logging into an Amazon EC2 instance running Linux, then the operating system on the instance is responsible for security, typically using SSH Keypairs associated with users. This type of security is completely separate from IAM Users. You cannot assign permissions on an instance to IAM Users.

Instead, you will need to:

  • Create separate Linux users on the EC2 instance
  • Use your standard corporate security to authenticate to the instance (eg Active Directory or LDAP). If you do not have a central directory authentication service, then you will need to generate keypairs for each user putting their public keypair in the user's .ssh/authorized_keys file inside their home directory.
  • Use standard Linux techniques to assign folder/file access to users on the instance (eg chown)
  • Users can then ssh/scp to the instance, providing their username and private keypair. They will have access to the files based upon permissions that were granted.

Bottom line: It's standard Linux. Assign permissions as you would for on-premises computers.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • When I ssh to the instance I need to use the `pem` file to be able to log in. How does this user use `ssh` or `sftp` without pem? – h4kl0rd May 31 '19 at 11:36
  • You are correct. They use a `pem` file to authenticate. This is totally separate to IAM and IAM Users. Your question says "I would like to add an IAM user for a developer with access to only project_1 folder". This is not possible. As stated above, it requires a user to be defined on the instance itself, not in IAM. – John Rotenstein May 31 '19 at 23:10
0

You should create separate users with permission for,
whoever that needs access to your AWS EC2 instance.
And you'll need to give permissions to your folder as to which user or user group can access those folders.

Ref -
https://www.digitalocean.com/community/tutorials/how-to-create-a-sudo-user-on-ubuntu-quickstart

Narendra
  • 41
  • 5
0

One way to achieve what you want is you can put files in S3 and mount that S3 bucket in EC2. You can mount by syncing the folder in /var/www/html/ with your S3 bucket. For reference use this link.

Now you can configure your IAM user to have access only to that bucket and make whatever changes you want in it and this will be reflected in EC2. You can access S# bucket using FTP as well now.

Ankitech
  • 9
  • 1
  • 3