AWS IAM: how to create a condition using global condition keys

Question

I want to create a policy so that user can only create EC2 keypair with name "test-key-pair*", not key pair with any other name. but looks like there is no such way.

In fact when I create the policy with EC2:CreateKeyPair action, it shows "the action you choose support all resources. ". but I do want to sets some limit. So I click "request conditions", which show the list of some "global condition keys", such as aws:TagKeys. And I created the following conditions to EC2:CreateKeyPair. my understanding is with this condition, when a user create key pair, only if he set both tag key CostCenter and tag key Department, he can create a key pair, otherwise, he cannot.

However, this condition does not work at all. a user can create key pair without setting any tag key. so I do not know how to use the "global condition keys". I do know how to user service related conditions. besides, I do not understand for the resources like key pair, why I am not allowed to restrict the resources using such as: test-key-pair*,

"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "ec2:CreateKeyPair",
        "Resource": "*",
        "Condition": {
            "ForAllValues:StringEquals": {
                "aws:TagKeys": [
                    "CostCenter",
                    "Department"
                ]
            }
        }
    }

Here is the link of global condition keys:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys.

Answer 1

Tags cannot be associated with a keypair.

I tried a few conditions, but I was unable to limit the action to a specific Keyname.

So, it doesn't look like you can limit KeyPair creation based on the Key Name.

Some alternatives:

• Use AWS Service Catalog to provision the resources, with rules
• Create some form of 'front-end' that creates the keypair on their behalf, following certain rules (could be an app, could use Lambda)