Reputation: 605
How to concisely write a policy to control access to Amazon EC2 resources based on tags
I have an IAM group called "devops" to which I want to apply a policy that will grant members of that group full access to EC2 instances tagged "Class=devops", and no access to any other EC2 instances. I found this great knowledge center article by Amazon which put me on the right path: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/.
The problem as I see it stems from the "Note" about halfway down that page:
"Full control" extends to all actions within the EC2 namespace with the exception of those Amazon EC2 API actions that currently do not support resource-level permissions. For more information, see Unsupported Resource-Level Permissions in the Amazon EC2 API Reference.
If you follow the link in the note to the list of unsupported resource-level permissions, you'll find that it's dozens of items long. You'll also find this statement:
All Amazon EC2 actions can be used in an IAM policy to either grant or deny users permission to use that action. However, not all Amazon EC2 actions support resource-level permissions, which enable you to specify the resources on which an action can be performed. The following Amazon EC2 API actions currently do not support resource-level permissions; therefore, to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement. In order to grant "allow" permissions to all of these.
If I wanted to grant permissions in this policy to all of those actions which don't support resource-level permissions, my policy would be hundreds of lines long! Is there a better and more concise way to do this?
Upvotes: 0
Views: 101
Answers (1)
Reputation: 81356
There is one simple shortcut. A lot of the actions start with the same word such as "Describe". You can cover this list with a wildcard. Example, "Action" : "ec2:Describe*".
Just be careful with actions that will then override your other policy sections that DENY actions for specific resources.
Upvotes: 1
Related Questions
- Dynamically tagging of AWS resources
- AWS IAM - Deny certain EC2 actions based on resource tags?
- How to give access to all AWS resources based on a resource tag?
- Is using tag values to control access to a resource possible?
- Protecting AWS resources based on Tags
- AWS - Granting access to all resources with specific tags
- Grant read only IAM Permission to ec2 resources based on Tag using custom policy
- IAM policy to restrict EC2 access based on tag
- Allow user to manage EC2 by its tags
- EC2 IAM policy to require tags