Reputation: 157
AWS IAM Policy: Tag only untagged resources
We have an AWS user, who should be able to Create different resources like Instances, Volumes and SecurityGroups but not modify resources that are not part of its project.
For this purpose we allow the creation of resources and let the user CreateTags his resources with a Project tag and a value of <user's team name here>. He should not be able to tag already tagged resources and so, not the resources of other teams. (Every single resource is properly tagged here).
I have created a policy with statement:
[...]
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"Null": {
"ec2:ResourceTag/Project": "true"
}
}
}
[...]
If I use the Policy Simulator by AWS, I am allowed to call CreateTags on a resource without a Project tag.
If I simulate it with setting a Project tag, the action is denied just as expected.
Unforunately, if I use the same actions from the AWS CLI with this policy, CreateTags is allowed every time. Even if the tag is already set and even on foreign instances the user should not be able to modify:
as user with mentioned policy
aws ec2 create-security-group --group-name "test-sg" --description "test" # creation of a new resource
(AWS answer){
"GroupId": "sg-4a3151aa"
}
.
aws ec2 create-tags --resources sg-4a31513c --tags Key=Project,Value=web-performance # this should work, ResourceTag Project is Null
(success)
aws ec2 create-tags --resources sg-4a31513c --tags Key=Project,Value=web-performance # should *not* work, ResourceTag Project is already set and not Null
(success)
As you can see, it works both times and it works also on foreign Projects where the tag is already set.
I also tried it with
"Condition": {
"StringNotLike": {
"ec2:ResourceTag/Project": "*"
}
}
This behaves exactly like the "Null" Condition, even in the Policy Simulator.
Do you have any ideas? Thanks in advance.
Upvotes: 2
Views: 1668
Answers (1)
Reputation: 78840
Amazon EC2 has partial support for resource-level permissions. At the time of writing, the CreateTags action does not support resource-level permissions. You can see the list of actions that support resource-level permissions here.
You can verify this by changing your policy to specify StopInstances (which supports resource-level permissions) in place of CreateTags. Your IAM user will only be able to stop an EC2 instance if the instance does not have a Project tag. Alternatively, if you change the Null condition to false, then the IAM user will only be able to stop an EC2 instance if the instance does have a Project tag.
So, your policy will presumably be correct at some point in the future, when CreateTags supports resource-level permissions.
Upvotes: 2
Related Questions
- EC2 IAM Policy not working with ResourceTag
- Enforce tag policy for all services in aws
- Use tags inside IAM policy resource
- IAM Policy with `aws:ResourceTag` not supported
- Is it possible to create an AWS IAM policy for automatic resource tagging?
- Enforce tag creation for EC2
- Using tags prefixed with aws: in IAM policies
- EC2 IAM policy to require tags
- IAM Policy using Condition ec2:ResourceTag not working
- IAM, apply policy only to tagged instances