Is it possible to restrict who can deregister an AMI via IAM? The criteria I want to use is a tag attached to the image resource. The Tag is "ReleaseStage" and the values are "Beta", "RC" and "GA"... IAM users that are in the Developer group should not be allowed to deregister a "GA" tagged AMI.
Is this possible and if so what kind of IAM policy document would I need to achieve this?
AWS documentation has an example showing the use of a tag in a condition for a policy in
In the given example, the relevant line is
"Condition": {"StringEquals": {"ec2:ResourceTag/volume_user": "${aws:username}"}}
where volume_user is the name of the tag in the example, and the expression ${aws:username} is the value against which it is compared.
Conditions are documented starting here:
Your condition would look like
"Condition": {"StringEquals": {"ec2:ResourceTag/ReleaseStage": "GA"}}
and you would use it in a policy whose effect is "deny", attaching the policy to the "developers" group. The policy itself would look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:DeregisterImage",
"Condition": {"StringEquals": {"ec2:ResourceTag/ReleaseStage": "GA"}}
}
]
}