CODEWITHSUNDEEP
amazon-web-servicesamazon-iam
Arjun
Arjun

Reputation: 1

IAM policy to restrict EC2 access based on tag

I tried to restrict access to EC2 instance with the following IAM policy:

{

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:RebootInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Purpose": "devops-training"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:CreateSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateTags",
                "ec2:DescribeTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "ap-southeast-2"
                }
            }
        }
    ]
}

But I cannot stop or start instances. I cannot find the mistake in the above policy. I can launch a new instance. I added a tag Purpose with value "devops-training". But still I cannot stop/start instances.

Upvotes: 0

Views: 1950

Answers (1)

Vikyol
Vikyol

Reputation: 5615

You should use ResourceTag/key-name instead. RequestTag is used if the action can attach tags as part of the request, such as ec2:RunInstances, ec2:CreateTags...

"Condition": {
    "StringEquals": {
        "ec2:ResourceTag/Purpose": "devops-training"
    }
}

Request – Control what tags can be passed in a request. To do this, use the aws:RequestTag/key-name condition key to specify what tag key-value pairs can be passed in a request to tag or untag an AWS resource.

Resource – Control access to AWS service resources based on the tags on those resources. To do this, use the ResourceTag/key-name condition key to determine whether to allow access to the resource based on the tags that are attached to the resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources

Upvotes: 3

Related Questions