Question 231214 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How to create IAM policy in AWS in order to deny creation of EC2 based on tags

I have the following policy, however using these policy users can still create resrouces with this tag, however they just will have all access denied to the resource with this policy. Is there a way to deny EC2 creation based on a tag?

{
    "'Version": "2012-10-17",
    "Statement": [
           {
                    "Sid": "VisualEditor@"
                    "Effect": "Deny"
                     "Action": [
                            "ec2:*"
                     ],
                    "Resource": [
                             "arn:aws: ec2:*:*: instance/*"
                    ],
                    "Condition": {
                             "StringEquals": {
                                 "aws: ResourceTag/Environment": "test"
                              }
                     }
           }
      ]
}
Tags:

2

Answers


  1. 0

    You can try this:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2CreationWithTag",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Environment": "test"
        }
      }
    }
  ]
}
    Login or Signup to reply.
  2. 0

    You should use the RequestTag condition key:

    The following IAM policy denies users to create a specific tag "Environment" with values "test" when launching new EC2 instances:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToEC2",
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        },
        {
            "Sid": "RunInstancesWithTagRestrictions",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Environment": "test"
                }
            }
        }
    ]
}

    RequestTag condition key

    The aws:RequestTag/tag-key condition key used to compare the key-value
    pair passed in the user request with the tag pair specified in the IAM
    policy. The condition key is available for actions that create a
    resource or tag on a resource, and checks the value of the tag.

    ResourceTag condition key

    The aws:ResourceTag/tag-key condition key compares the tag key-value
    pair specified in the IAM policy with the key-value pair that’s
    attached to the AWS resource. For more information, see Controlling
    access to AWS resources.

    Hope it helps.

    Useful Resources:

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search