Reputation: 146
AWS IAM custom policy for compound values in a key not working
Trying to implement the AWS IAM tag based custom policy for below scenarios but it's not working for me.
Let's say user is having a tag where key is Environment with multiple value(- is delimiter for combine environment tag value) for this tag. Like:
There are two EC2 instance which is having Environment tag key with following value:
Instance Name Key Value
a) EC2 instance - 1 Environment Dev
b) EC2 instance - 2 Environment Prod
- Below is policy JSON condition which is not working. Policy Name : A
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStopStartEC2ForAll",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/Environment": "${aws:PrincipalTag/Environment}"
}
}
}
]
}
As per my requirement. User which is having policy A should be able to start/stop EC2 instance.
Upvotes: 0
Views: 488
Answers (1)
Reputation: 269666
It appears your policy is based on Simplify granting access to your AWS resources by using tags on AWS IAM users and roles | AWS Security Blog.
However, that example was checking whether a string was equal:
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}"
}
}
In your case, you wish to use StringLike. When doing so, it checks whether the right-side expression is found within the left-side expression.
In your situation, you have:
- User tag:
Dev-Prod - Instance tag:
Dev
Therefore, the left and right sides of the expression need to be swapped, and a wildcard added to work with StringLike:
"Condition": {
"StringLike": {
"aws:PrincipalTag/Environment": "*${ec2:ResourceTag/Environment}*"
}
}
The complete policy to use is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStopStartEC2ForAll",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalTag/Environment": "*${ec2:ResourceTag/Environment}*"
}
}
}
]
}
Upvotes: 3
Related Questions
- How to provide multiple StringNotEquals conditions in AWS policy?
- AWS IAM multiple policies with conflicting conditions
- AWS IAM policy restriction based on Tags not giving me any access
- how to define one condition that validate at least one key in iam aws policy
- create custom AWS IAM policy using CDK
- AWS-IAM policy on access key giving error message
- IAM policy condition that request for key with any value
- AWS IAM Policy Grammar Error with Multiple Conditions
- AWS IAM customized policy at instance level for EC2 doesn't work
- Error in IAM custom policy to restrict a user on the basis of tag