How to give access to all AWS resources based on a resource tag?

Question

I’m trying to create an IAM Admin role that has access to all AWS resources, across all services, that have a specific tag. In other words, I need the equivalent of AWS’ native “Administrator” but for tagged resources only. How do I accomplish this?

For context, I need team-specific IAM admin roles. If an EC2 server, or and S3 bucket, or an ECS task has the tag “team” with the tag’s value being the team’s name, that role should be able to administer those resources.

What have I tried so far?

1

The first approach was the most obvious: copy the AWS Administrator role and add a Condition to it:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:ResourceTag/team": "teamA"
        }
      }
    }
  ]
}

This is something that's described in this related post but this does not work.

AWS documentation Controlling access to AWS resources using resource tags notes that that some services need the service-specific prefix, such as iam:ResourceTag. I thought that this would work for at least the services that supported the generic aws:ResourceTag prefix but it doesn't even do that.

2

I then tried a more targeted approach by listing the Actions more selectively. I grabbed the AWS AmazonEC2FullAccess policy and added a Condition to it:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/team": "teamA"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "elasticloadbalancing:*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/team": "teamA"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "cloudwatch:*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/team": "teamA"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "autoscaling:*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/team": "teamA"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": [
            "autoscaling.amazonaws.com",
            "ec2scheduled.amazonaws.com",
            "elasticloadbalancing.amazonaws.com",
            "spot.amazonaws.com",
            "spotfleet.amazonaws.com",
            "transitgateway.amazonaws.com"
          ]
        },
        "StringLike": {
          "ec2:ResourceTag/team": "teamA"
        }
      }
    }
  ]
}

I tried this with a generic "Resource": "*" and a specific "Resource": "arn:aws:ec2:*:*:instance/*", neither of which worked. The EC2 service either reports API Error or You do not have any instances in this region when navigating to the EC2 service.

Also tried with both generic aws:ResourceTag and service-specific condition, e.g. ec2:ResourceTag.

Any thoughts are appreciated. It seems more and more likely that AWS does not support a "shotgun" approach that I'm looking to do.

If a shotgun approach is not possible, has anyone compiled an IAM policy that accomplishes resource tags-based access for all AWS services?

Answer 1

I've been testing this a lot. You cannot even trust the policy simulator. In theory any resource listed here with the "Authorization based on tags" set to "yes" can use the ResourceTag condition. The only feasible way I've found is to go service by service in the policy generator looking for service specific conditions that you can add, tedious. I'll try to update my answer with a list of actually working conditions based on the ResourceTag element.