How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?

5 minute read
0

I want to allow AWS Identity and Access Management (IAM) users or groups access to launch new Amazon Elastic Compute Cloud (Amazon EC2) instances. I also want to allow IAM users access to create new Amazon Elastic Block Store (Amazon EBS) volumes, but only when they apply specific tags.

Short description

Specify tags for EC2 instances and EBS volumes as part of the API call that creates the resources. Using this principle, you can require IAM users to tag specific resources by applying conditions to their IAM policy. The following example policies don't allow users to create security groups or key pairs, so users must select pre-existing security groups and key pairs.

The following example IAM policies allow users to:

  • Launch EC2 instances that have matching tag keys and values
  • Launch EC2 instances that have at least one matching tag and value
  • Launch EC2 instances that have at least one matching tag key
  • Launch EC2 instances that have only the specified list of tags

Resolution

Launch EC2 instances that have matching tag keys and values

The following example policy allows a user to launch an EC2 instance and create an EBS volume only if the user applies all the tags that are defined in the policy using the qualifier ForAllValues. If the user applies a tag that's not included in the policy, then the action is denied. To enforce case sensitivity, use the condition aws:TagKeys.

Note: Modify key1 and value1 in the example policies to include the tags and values that apply to your resources:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowToDescribeAll",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowRunInstances",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*::image/*",
        "arn:aws:ec2:*::snapshot/*",
        "arn:aws:ec2:*:*:subnet/*",
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:key-pair/*"
      ]
    },
    {
      "Sid": "AllowRunInstancesWithRestrictions",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume",
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:network-interface/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/key1": "value1",
          "aws:RequestTag/key2": "value2"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "key1",
            "key2"
          ]
        }
      }
    },
    {
      "Sid": "AllowCreateTagsOnlyLaunching",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:network-interface/*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": [
            "RunInstances",
            "CreateVolume"
          ]
        }
      }
    }
  ]
}

Important: To launch EC2 instances successfully, this policy must include matching tag keys and values. If the key and value pairs don't match, then you receive the error "Launch Failed" or similar type of API failure message.

Example results

Key/ValueResult
key1/value1 and key2/value2allow
key1/value1deny
key1/value2deny
no keys and valuesdeny

Launch EC2 instances that have at least one matching tag and value

In the following example, replace the AllowRunInstancesWithRestrictions condition block to allow a user to launch an EC2 instance and create EBS volumes when at least one tag key is named key1 and its value is value1. Any number of additional tags can be added in the RunInstances request:

"Condition": {
  "StringEquals": {
    "aws:RequestTag/key1": "value1"
  },
  "ForAnyValue:StringEquals": {
    "aws:TagKeys": [
      "key1"
    ]
  }
}

Example results

Key/ValueResult
key1/value1 and key2/value2allow
key1/value1allow
key1/value2deny
no keys and valuesdeny

Launch EC2 instances that have at least one matching tag key

In the following policy example, replace the AllowRunInstancesWithRestrictions condition block to allow a user to launch an EC2 instance and create EBS volumes when at least one tag key is named key1. No specific value is required for the key1 tag and any number of additional tags can be added in the RunInstances request.

"Condition": {
  "ForAnyValue:StringEquals": {
    "aws:TagKeys": [
      "key1"
    ]
  }
}

Example results

Key/ValueResult
key1/value1 and key2/value2allow
key1/value1allow
key1/value2allow
no keys and valuesdeny

Launch EC2 instances that have only the specified list of tags

In the following example policy, replace the AllowRunInstancesWithRestrictions condition block to allow a user to launch an EC2 instance and create EBS volumes only when tag keys key1 and key2 are provided in the request. No specific value is required for either tag keys, and no additional tags can be added in the RunInstances request:

"Condition": {
  "StringLike": {
      "aws:RequestTag/key1": "*",
      "aws:RequestTag/key2": "*"
  },
  "ForAllValues:StringEquals": {
    "aws:TagKeys": [
        "key1",
        "key2"
    ]
  }
}

Note: The StringLike condition is required to make sure that all tags are present.

Example results

Key/ValueResult
key1/AnyValue and key2/AnyValueAllow
key1/AnyValueDeny
key2/AnyValueDeny
No keys or valuesDeny
key1/AnyValue, key2/AnyValue, key3/AnyValueDeny

Related information

How do I create an IAM policy to control access to Amazon EC2 resources using tags?

Creating a condition with multiple keys or values

Example IAM identity-based policies

Tag your Amazon EC2 resources

Actions, resources, and condition keys for Amazon EC2

AWS OFFICIAL
AWS OFFICIALUpdated a year ago