How to setup AWS IAM Lightsail User and Permissions

In this video I will walkthrough the process of setting up a separate AWS User for the Lightsail Console with restricted permissions. This will be useful if you need to give access to someone else other than you to maintain a Lightsail server instance. If you need to have someone let’s say manage a Lightsail instance you might think about giving your  AWS credentials, which you should not do,  Instead you should setup a specific user with only access to the instances they would need to manage. You might have some other use cases for this as well.

Steps:

  1. Login to Lightsail Dashboard/Console
  2. Go to AWS Console.
  3. Go to IAM (Identify Access Management)
  4. Create Lightsail Policy
    1. AWS Policies define the level of permissions for AWS resources
    2. Then you would apply the policy to the user
  5. Open PowerShell and Get Instance ARN.
  6. Create Group and Assign Policy
  7. Create User and Add to Group.
    1. Give Console Access
    2. Auto-generate Password
  8. Open a new browser, login as new user
  9. Test out the permissions.

Lightsail Custom Policy JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lightsail:Get*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": [
                "lightsail:GetInstanceAccessDetails"
            ],
            "Resource": "[DENIED ARN INSTANCE GOES HERE]"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "lightsail:Get*",
                "lightsail:PutInstancePublicPorts",
                "lightsail:StartInstance",
                "lightsail:StopInstance",
                "lightsail:RebootInstance",
                "lightsail:OpenInstancePublicPorts",
                "lightsail:CloseInstancePublicPorts",
                "lightsail:CreateInstanceSnapshot",
                "lightsail:GetInstanceAccessDetails"
            ],
            "Resource": "[ALLOWED ARN INSTANCE GOES HERE]"
        }
    ]
}

Full Permissions to Lightsail Custom Policy JSON:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "lightsail:*"
 ],
 "Resource": "*"
 }
 ]
}