- Newest
- Most votes
- Most comments
Based on my experience with IAM, what you're looking to achieve isn't possible with existing functionality. Instead, I recommend creating and utilizing separate AWS accounts for production, staging, development, etc., and allowing only authorized individuals or teams access to those accounts. This is consistent with the AWS best practices recommendations we give to customers regularly, and ensures access to data and other resources is less likely to be accidentally granted to unauthorized parties.
I think I got what you are trying to achieve but not sure if the condition statement is in the right place here. In order to assign permissions to an Amazon EC2 Instance, you need to assign a IAM role to this EC2 Instance. Amazon EC2 uses an instance profile as a container for an IAM role.
See also the note for Instance Profiles: An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles. This limit of one role per instance profile cannot be increased.
What I would recommend is to look into:
- Check out Tags for Instance Profiles to determine the matching role according to the EC2 Instance
- Use condition statements in the IAM policies included with the Instance Profile. This approach would depend on the required policy, keep in mind quotas for IAM entities.
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
Thanks, but missing the point a bit. What if it wasn't environment, but cost center, or owner? There are pages and pages of AWS documentation about controlling access with tags, but in practice it doesn't seem to work anywhere that I've needed it.