Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I create an IAM policy to control access to EC2 resources through tags?
I want to control access to Amazon Elastic Compute Cloud (Amazon EC2) instances through tags.
Resolution
Add a tag to your group of Amazon EC2 instances
Note: Tags have specific requirements, such as character limit and number of tags per resource.
Open the Amazon EC2 console. Then, add tags to the group of EC2 instances to the relevant users or groups. If you don't already have a tag, then create a new tag.
Create an IAM policy that grants access to instances with a specific tag
Your IAM policy must meet the following conditions to grant access to instances with a specific tag:
- Allow control over instances with the tag.
- Contain a conditional statement that allows access to EC2 resources when the condition key's value ec2:ResourceTag/UserName matches the policy variable aws:username. When IAM evaluates the policy, it replaces the policy variable ${aws:username} with the friendly name of the current IAM user.
- Allow access to the ec2:Describe* actions for EC2 resources.
- Explicitly deny access to the ec2:CreateTags and ec2:DeleteTags actions. This prevents users from creating or deleting tags even when they have access to control instances.
In your JSON editor, copy the following sample policy template:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/UserName": "${aws:username}" } } }, { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "*" } ] }
Note: This policy applies to instances that use the ec2:ResourceTag condition key. If you want to use tags to restrict users from launching new instances, then follow the instructions in How do I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created and accessed?
For principals that aren't IAM users, such as federated users, use the variable aws:userid instead of aws:username. The variable aws:userid has the value account:caller-specified-name. For more information, see IAM policy elements: Variables and tags and How do I use IAM policy variables with federated users?
Attach the IAM policy to users or groups that you want to access instances
To attach the IAM policy to your users or groups, follow the instructions in Adding IAM identity permissions (console). You can also use the AWS Command Line Interface (AWS CLI) or AWS API.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Related information
Granting required permissions for Amazon EC2 resources
Identity-based policies for Amazon EC2
IAM tutorial: Define permissions to access AWS resources based on tags
- Language
- English
FYI for Identity Center aws:username is aws:userid as described in this other article
https://repost.aws/knowledge-center/iam-policy-variables-federated
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
This will allow all users with the policy to access any EC2 instance, It should be complemented with any other tag to identify which EC2s are targets for this policy.
This document describes it within the ABAC context. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 years ago
- asked 3 years ago
