Question 282439 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Restrict IAM ec2:CopySnapshot action on snapshots with specific key value

I have few ec2 snapshots with tags as key ce and value ae-12 . I want to allow the role to perform action of ec2:CopySnapshot on the snapshots containing the above mentioned tags only.
I’m using the below policy but it doesn’t work:

{
            "Sid": "snapshare",
            "Effect": "Allow",
            "Action": [
                "ec2:CopySnapshot"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/ce": "ae-12"
                }
            }
        }

I also tried "aws:ResourceTag/ce": "yes" in the condition block but it fail too.

Can anyone help me how to tackle this via IAM policy?

Tags:

2

Answers


  1. 0

    Please try the below policy, the following example policy allows principals to copy snapshots only if the new snapshot is created with a tag key of ce and a tag value of ae-12 (ce=ae-12):

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCopySnapshotWithTags",
            "Effect": "Allow",
            "Action": "ec2:CopySnapshot",
            "Resource": "arn:aws:ec2:*:account-id:snapshot/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/ce": "ae-12"
                }
            }
        }
    ]
}

    Hope it helps.

    Login or Signup to reply.
  2. 0

    Several things to consider:

    1. Check supported condition keys for ec2:CopySnapshot

    https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

    1. If you want to block 

      ec2:CopySnapshot

      use 

      "Effect": "Deny"

      and negative condition 

      "ForAnyValue:StringNotEquals": { "aws:TagKeys": ["ce"] }

    2. Unfortunately you can limit Condition to Tag Key only for this action.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search