Need clarification for an IAM policy

0

Hi Can I get some clarification as what does this below policy imply?

{
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": "ec2:RunInstances",
    "Resource": [
        "arn:aws:ec2:*:*:subnet/*",
        "arn:aws:ec2:*:*:key-pair/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:vpc/*",
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:us-east-1::image/*"
    ],
    "Condition": {
        "StringEquals": {
            "aws:ResourceTag/tkey": "tval"
        }
    }
}

Is it that all the resources in the policy should have the resource tag : "tkey" and "tval"? Or is it that the resource that is going to be created i.e instance should have the tags?

2 Answers
5

The policy implies that the resources specified in the Resource section must have a tag with the key tkey and the value tval. This condition applies to all resources listed, including existing resources and resources that will be created. Therefore, any resource within the scope of this policy must have this specific tag attached to it for the ec2:RunInstances action to be allowed.

If a resource lacks the specified key (tkey) with the corresponding value (tval), the user granted access through this policy will be denied access to that resource.

profile picture
EXPERT
answered 2 months ago
0

Thanks for you answer Osvaldo Marte. I have some follow up questions as well

  1. How would I create a policy to do auth to check if only the to be created resources have the tags, instead of checking all the resources? Since I need to add all the mandatory resources in the policy if I am not interested with "*" , I find the above auth bit difficult.

  2. Is it the policy same as "" then? Meaning if I replace all the resources with "" in the policy, should all the resources should have the tags?

Deep
answered 2 months ago
  • To create a policy that only checks if resources being created have specific tags, you would typically need to use a combination of IAM policies and AWS Config rules. IAM policies alone cannot directly target only resources being created; they apply to resources based on their actions, not their state.

    Here's a general approach:

    1. IAM Policy: Define an IAM policy that grants permission to the ec2:RunInstances action but includes a condition to check for the required tags. This policy will apply whenever someone attempts to run EC2 instances.

    2. AWS Config Rule: Create a custom AWS Config rule that specifically checks whether resources being created have the required tags. This rule will evaluate the resource configurations against your tag requirements.

    Regarding your second question:

    In a scenario where the policy includes a tag condition for the Principal to perform an allowed action, if the resources are denoted as "*", it implies that the Principal can only execute the allowed action on resources possessing the specified tag. In this context, using "*" as a wildcard restricts the action to resources with the required tag, ensuring that permissions are only granted where the necessary tagging criteria are met. Therefore, when employing "*" in resource specifications within a policy, the presence of the required tag on the resources becomes crucial for the Principal to perform the permitted action.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions