IAM Policy using Condition ec2:ResourceTag not working

Question

I have n x EC2 instances that I wish to limit ec2 actions to instances with the same key/value tag (I.E. platform=dev).

I'm looking at doing this using an IAM Policy attached to the group their default IAM user is in.

Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/tag:platform": "dev"
            }
        }
    }
]}

I set this up as per the online AWS docs: Example Policies for Working With the AWS CLI or an AWS SDK

I check it in the Policy Simulator and it works as expected (pass in a dev and it's allowed, otherwise denied).

Then on one of the servers with the tag key/pair of platform=dev, I run aws ec2 describe-instances I get the response:

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.

but if I remove the Condition it works. I don't understand what I'm doing wrong. Any help would be gratefully received!

Answer 1

The problem is that not every API Action & Resource will accept the ec2:ResourceTag/tag in the condition.

I think you're probably granting overly-broad permissions (Action: ec2:*), so figure out what actions your instances will need do, and then decide how to restrict them.

The list of actions, resources and conditions keys can be found at Supported Resource-Level Permissions for Amazon EC2 API Actions.

Answer 2

I have ran into this issue before, it had something to do with combining wildcards and conditions. What solved it for us was being more explicit on the action (e.g ["ec2:DescribeInstances"]), and on the resource as well (arn:aws:ec2:region:accountid:instance/*).