Writing IAM Policy to ModifyInstanceAttribute - DeleteOnTermination

Question

Dear Experts,

I am executing below command from my ec2 instance. (instance id changed on purpose)

aws ec2 modify-instance-attribute --instance-id i-12345 --block-device-mappings "[{\"DeviceName\": \"/dev/sda1\",\"Ebs\":{\"DeleteOnTermination\":false}}]"

I configured following below policy but its still giving me unauthorized error.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:ModifyInstanceAttribute",
            "Resource": "arn:aws:ec2:*:111111111:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:Attribute": "BlockDeviceMapping"
                }
            }
        }
    ]
}

In above, i changed BlockDeviceMapping to DeleteOnTermination, but it didnt work. Can someone tell me how to write the policy?

Answer

I havent tried this before, however in the documentation the Case is different than your policy..

Try blockDeviceMapping

Your Instance policy may need to have instance/* for any Instance unless you remove that due to being sensitive

Writing IAM Policy to ModifyInstanceAttribute - DeleteOnTermination

Relevanter Inhalt