Intellipaat Back

Explore Courses Blog Tutorials Interview Questions
0 votes
2 views
in AWS by (19.1k points)

I have created a custom IAM policy to restrict user access on the basis of tags like if the Resource tag Name has any value Test then the user can start-stop reboot the instance.

Here is my policy :

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "TheseActionsDontSupportResourceLevelPermissions",

            "Effect": "Allow",

            "Action": ["ec2:Describe*"],

            "Resource": "*"

        },

        {

            "Sid": "TheseActionsSupportResourceLevelPermissionsWithTags",

            "Effect": "Allow",

            "Action": [

                "ec2:TerminateInstances",

                "ec2:StopInstances",

                "ec2:StartInstances"

            ],

            "Resource": "arn:aws:ec2:us-east-1:acct_no:instance/*",

            "Condition": {

                "ForAnyValue:StringEquals": {

                    "ec2:ResourceTag/Name": "Test"

                }

            }

        }

    ]

}

But when I apply the policy the user can't perform the specified actions.

1 Answer

0 votes
by (44.4k points)

ForAnyValue is an inappropriate condition for your Amazon IAM use case

IAM policy for Controlling Management Access on Specific Instances:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": [

        "ec2:StartInstances",

        "ec2:StopInstances",      

        "ec2:RebootInstances",

        "ec2:TerminateInstances"

      ],

      "Condition": {

        "StringEquals": {

          "ec2:ResourceTag/critical":"true"

        }

      },

      "Resource": [

        "arn:aws:ec2:your_region:your_account_ID:instance/*"

      ],

      "Effect": "Allow"

    }

  ]

}

Related questions

Want to get 50% Hike on your Salary?

Learn how we helped 50,000+ professionals like you !

0 votes
1 answer
asked Mar 4, 2020 in AWS by chandra (29.3k points)

31k questions

32.8k answers

501 comments

693 users

Browse Categories

...