How do I create an IAM policy to control access to Amazon EC2 resources through tags?

3 minute read
1

I want to create an AWS Identity and Access Management (IAM) policy that controls access to Amazon Elastic Compute Cloud (Amazon EC2) instances through tags.

Short description

Control access to smaller deployments of Amazon EC2 instances as follows:

  1. Add a specific tag to the instances that you want to grant the users or groups access to.
  2. Create an IAM policy that grants access to any instances with the specific tag.
  3. Attach the IAM policy to the users or groups that you want to access the instances.

Resolution

Add a tag to your group of EC2 instances

Open the Amazon EC2 console. Then, add tags to the group of EC2 instances that you want the users or groups to be able to access. If you don't already have a tag, then create a new tag.
Note: Be sure to read and understand the tag restrictions before tagging your resources. Amazon EC2 tags are case-sensitive.

Create an IAM policy that grants access to instances with the specific tag

Create an IAM policy that does the following:

  • Allows control over the instances with the tag.
  • Contains a conditional statement that allows access to Amazon EC2 resources if the value of the condition key ec2:ResourceTag/UserName matches the policy variable aws:username. The policy variable ${aws:username} is replaced with the friendly name of the current IAM user when the policy is evaluated by IAM.
  • Allows access to the ec2:Describe* actions for Amazon EC2 resources.
  • Explicitly denies access to the ec2:CreateTags and ec2:DeleteTags actions to prevent users from creating or deleting tags. This prevents the user from taking control of an EC2 instance by adding the specific tag to it.

The finished policy looks similar to the following:

Note: This policy applies to Amazon EC2 instances that use the ec2:ResourceTag condition key. To restrict launching new Amazon EC2 instances using tags, see How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/UserName": "${aws:username}"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Resource": "*"
    }
  ]
}

Note: For principals that aren't IAM users, such as IAM Identity Center permission sets or Federates users, use the variable aws:userid instead of aws:username. The variable aws:userid has the value account:caller-specified-name. For more information, see IAM policy elements: Variables and tags  and How do I use IAM policy variables with federated users?

Attach the IAM policy to the users or groups that you want to access the instances

Attach the IAM policy to the users or groups that you want to access the instances. You can attach the IAM policy using the AWS Management Console, AWS CLI, or AWS API.

Related information

Granting required permissions for Amazon EC2 resources

IAM policies for Amazon EC2

IAM tutorial: Define permissions to access AWS resources based on tags

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
4 Comments

FYI for Identity Center aws:username is aws:userid as described in this other article

https://repost.aws/knowledge-center/iam-policy-variables-federated

vgrsec
replied 5 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 5 months ago

This will allow all users with the policy to access any EC2 instance, It should be complemented with any other tag to identify which EC2s are targets for this policy.

This document describes it within the ABAC context. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html

mmetaw
replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 3 months ago