Error in IAM custom policy to restrict a user on the basis of tag

Question

I have created a custom IAM policy to restrict user access on the basis of tags like if the Resource tag Name has any value Test then the user can start-stop reboot the instance.

Here is my policy :

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "TheseActionsDontSupportResourceLevelPermissions",

            "Effect": "Allow",

            "Action": ["ec2:Describe*"],

            "Resource": "*"

        },

        {

            "Sid": "TheseActionsSupportResourceLevelPermissionsWithTags",

            "Effect": "Allow",

            "Action": [

                "ec2:TerminateInstances",

                "ec2:StopInstances",

                "ec2:StartInstances"

            ],

            "Resource": "arn:aws:ec2:us-east-1:acct_no:instance/*",

            "Condition": {

                "ForAnyValue:StringEquals": {

                    "ec2:ResourceTag/Name": "Test"

                }

            }

        }

    ]

}

But when I apply the policy the user can't perform the specified actions.

Answer 1

ForAnyValue is an inappropriate condition for your Amazon IAM use case

IAM policy for Controlling Management Access on Specific Instances:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": [

        "ec2:StartInstances",

        "ec2:StopInstances",      

        "ec2:RebootInstances",

        "ec2:TerminateInstances"

      ],

      "Condition": {

        "StringEquals": {

          "ec2:ResourceTag/critical":"true"

        }

      },

      "Resource": [

        "arn:aws:ec2:your_region:your_account_ID:instance/*"

      ],

      "Effect": "Allow"

    }

  ]

}