I have created a custom IAM policy to restrict a user access on the basis of tags like if the Resource tag Name has any value Test then the user can start stop reboot the instance.
Here is my policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:Describe*"],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissionsWithTags",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:acct_no:instance/*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:ResourceTag/Name": "Test"
}
}
}
]
}
But when I apply the policy the user can't perform the specified actions.
Kindly help.
Thanks
ForAnyValue is an inappropriate condition for your Amazon IAM use case, insofar it is only applicable for sets (see Creating a Condition That Tests Multiple Key Values (Set Operations) for details) - simply dropping the ForAnyValue: prefix should yield a working policy, see e.g. the examples in Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/critical":"true"
}
},
"Resource": [
"arn:aws:ec2:your_region:your_account_ID:instance/*"
],
"Effect": "Allow"
}
]
}