IAM Policy Condition StringEquals doesn't work well.

Question

I'd like to access EC2 Instances by EC2 Tags of Condition. When I applied below Policy, it doesn't work properly. Please let me know how to fix it.

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation. is not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/aws:eks:cluster-name": CLUSTER_NAME"
                }
            }
        }
    ]
}

```

Answer

Hello.

Looking at the following document, "ec2:DescribeInstances" cannot use "ec2:ResourceTag".  
"ec2:ResourceTag" can only be used in actions that are included in the "Condition keys" column of the following documents.  
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-policy-keys

IAM Policy Condition StringEquals doesn't work well.

Relevanter Inhalt