Musa
Reputation: 23
IAM policy variables
I am confused with the policy variable "${aws:username}" i.e. whether it is the IAM username from which i logged in the AWS account or is it the tag value that i manually entered in tags while creating instances.
Actually, i wanted to achieve that only owner of the ec2 instance should be to perform actions & othershould be denied. should the below policy works?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}"
}
}
}
]
}
Upvotes: 1
Views: 2355
Answers (1)
Arun Kamalanathan
Reputation: 8583
The policy variable ${aws:username} is replaced with the friendly name of the current IAM user when the policy is evaluated by IAM.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/
Your policy should work.
Upvotes: 1
Related Questions
- AWS IAM Conditional Policies
- EC2 instance profile policy creation
- AWS IAM policy issue
- AWS EC2 IAM policy by default
- AWS IAM policy issues
- AWS Enterprise Account - IAM Settings
- AWS IAM customized policy at instance level for EC2 doesn't work
- AWS EC2 IAM Conditions
- IAM policy not working
- Minimal IAM policy for ec2:RunInstances