I have created a custom IAM policy to restrict user access on the basis of tags like if the Resource tag Name has any value Test then the user can start-stop reboot the instance.
Here is my policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:Describe*"],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissionsWithTags",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:acct_no:instance/*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:ResourceTag/Name": "Test"
}
}
}
]
}
But when I apply the policy the user can't perform the specified actions.