How does IAM evaluation logic work for an explicit Deny policy with multiple condition keys?
I want to create an AWS Identity and Access Management (IAM) explicit Deny policy. This Deny policy must restrict creation of Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon Elastic Block Store (Amazon EBS) volumes.
Short description
Use IAM policy tags to restrict the launch of EC2 instances and EBS volumes that have Allow with StringLike or Deny with StringNotLike string condition operators.
For more information, see How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?
Resolution
To restrict the creation of EC2 instances and EBS volumes, use the following example IAM policy that uses Deny with StringNotLike.
Note: It's a best practice to use Deny with StringNotLike to prevent accidental permission access.
If your policy has multiple condition operators or multiple keys attached to a single condition operator, then the conditions are evaluated with AND logic. With Deny multiple tag values, each RequestTag key must use separate statements to get the same AND logic.
Note: All RequestTag key values that are set in one condition with a Deny policy might not work as expected. This is because the action is allowed until all conditions are met. After all conditions are met, the action is denied.
The following tags are required:
- The cost_center tag must have a non-null value.
- The EC2 instance has a tag key named Production.
- The identifier tag must be a combination of any five characters.
- The env tag value must be sandbox, dev, or prod.
Example policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDescribeAll", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "*" }, { "Sid": "AllowRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*" ] }, { "Sid": "AllowRunInstancesWithRestrictions1", "Effect": "Deny", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringNotLike": { "aws:RequestTag/cost_center": "?*" } } }, { "Sid": "AllowRunInstancesWithRestrictions2", "Effect": "Deny", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAllValues:StringNotLike": { "aws:TagKeys": "Production" } } }, { "Sid": "AllowRunInstancesWithRestrictions3", "Effect": "Deny", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringNotLike": { "aws:RequestTag/identifier": "?????" } } }, { "Sid": "AllowRunInstancesWithRestrictions4", "Effect": "Deny", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringNotLike": { "aws:RequestTag/env": [ "sandbox", "dev", "prod" ] } } }, { "Sid": "AllowRunInstances1", "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ] }, { "Sid": "AllowCreateTagsOnRunInstance", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*", "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }
Note the following enforcement values:
- The aws:TagKeys value enforces Production case sensitivity.
- The ????? value enforces the use of a combination of any five values. Spaces that lead or trail are ignored.
- The ?* value enforces the use of at least one character in the value field so that EC2 instances can't launch with empty tag values.
Related information
How do I create an IAM policy to control access to Amazon EC2 resources using tags?
It is important to remind NOT to use resourceTag condition for pass-role permission. Quote:
Do not try to control who can pass a role by tagging the role and then using the ResourceTag condition key in a policy with the iam:PassRole action. This approach does not have reliable results.
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- Accepted Answerasked 2 years ago
- asked 3 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
