Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
How do I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created and accessed?
I want to allow AWS Identity and Access Management (IAM) identities access to launch new Amazon Elastic Compute Cloud (Amazon EC2) instances. I also want to allow IAM identities access to create new Amazon Elastic Block Store (Amazon EBS) volumes when they apply specific tags.
Short description
Specify tags for EC2 instances and Amazon EBS volumes as part of the API call that creates the resources. Apply conditions to the IAM policy to require IAM users to tag specific resources.
The following example policies don't allow users to create security groups or key pairs, so users must select existing security groups and key pairs.
The following example IAM policies allow users to launch instances that have the following configurations:
- Matching tag keys and values
- At least one matching tag and value
- At least one matching tag key
- Only the specified list of tags
The example IAM policies also allow users to manage instances and volumes that have matching tag keys and values.
Note: To use the example polices, replace the example values with your values.
Resolution
Restrict EC2 instance and EBS volume creation based on tags
The following example policies allow a user to launch an instance and create a volume based on tags.
Launch EC2 instances that have matching tag keys and values
In the following example policy, the RequestTag condition controls tag enforcement. If the user applies a tag that's not included in the policy, then the action is denied. To enforce case sensitivity, use the aws:TagKeys condition:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDescribeAll", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "*" }, { "Sid": "AllowRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*" ] }, { "Sid": "AllowRunInstancesWithRestrictions", "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "StringEquals": { "aws:RequestTag/key1": "value1", "aws:RequestTag/key2": "value2" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "key1", "key2" ] } } }, { "Sid": "AllowCreateTagsOnlyLaunching", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateVolume" ] } } } ] }
Important: To successfully launch EC2 instances, the preceding policy must include matching tag keys and values. If the key and value pairs don't match, then you receive the Launch Failed error or a similar API failure message.
Example results
| Key/Value | Result |
| key1/value1 and key2/value2 | allow |
| key1/value1 | deny |
| key1/value2 | deny |
| no keys and values | deny |
Launch EC2 instances that have at least one matching tag key
In the following example policy, replace the AllowRunInstancesWithRestrictions condition block when at least one tag key is named key1. No specific value is required for the key1 tag, and you can add tags in the RunInstances request:
"Condition": { "StringEquals": { "aws:RequestTag/key1": "value1" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "key1" ] } }
Example results
| Key/Value | Result |
| key1/value1 and key2/value2 | allow |
| key1/value1 | allow |
| key1/value2 | allow |
| no keys and values | deny |
Launch EC2 instances that have only the specified list of tags
In the following example policy, replace the AllowRunInstancesWithRestrictions condition block when tag keys key1 and key2 are provided in the request. No specific value is required for either tag keys, and you can't add tags in the RunInstances request:
"Condition": { "StringLike": { "aws:RequestTag/key1": "*", "aws:RequestTag/key2": "*" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "key1", "key2" ] } }
Note: In the preceding policy, the StringLike condition is required so that the values can include multi-character match wildcards (*).
Example results
| Key/Value | Result |
| key1/AnyValue and key2/AnyValue | Allow |
| key1/AnyValue | Deny |
| key2/AnyValue | Deny |
| No keys or values | Deny |
| key1/AnyValue, key2/AnyValue, key3/AnyValue | Deny |
Restrict EC2 instance and EBS volume management based on tag keys and values
The following example policies restrict user management of instances and volumes based on tag keys and values.
Manage EC2 instances that have matching tag keys and values
The following example policy restricts access of an IAM identity to only start, stop, or reboot EC2 instances. The instance must have an Owner key tag with a Bob tag value:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": [ "arn:aws:ec2:*:111122223333:instance/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/Owner": "Bob" } } } ] }
Note: Replace Owner with your tag key, Bob with the name of your IAM user, and the resource ARN with your resource's ARN.
For more information, see Can I restrict the access of IAM Identity to specific Amazon EC2 resources?
Manage EBS volumes that have matching tag keys and values
The following example policy allows the IAM identity to detach or delete an EBS volume. For the DeleteVolume API action, the volume must have an Owner tag key with a Mary tag value. For the DetachVolume API action, both the instance and the volume must have the same tag key Owner with the tag value Mary:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:DeleteVolume" ], "Resource": [ "arn:aws:ec2:*:111122223333:volume/*", "arn:aws:ec2:*:111122223333:instance/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/Owner": "Mary" } } } ] }
Note: Replace Owner with your tag key, Mary with the name of your IAM user, and the resource ARN with your resource's ARN.
Related information
How do I create an IAM policy to control access to Amazon EC2 resources through tags?
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago
