- 최신
- 최다 투표
- 가장 많은 댓글
Yes, that means in order to perform the action ec2:RunInstances, you will need the required tag. Though, you will also need to grant the ability to create a tag, such as this:
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances",
"CreateVolume"
]
}
}
}
Hi, the action ec2:RunInstances
applies to the resource defined by "Resource:*" of the same statement. The resources for this authorization are EC2 instances defined by their ids. So, the required tag should be present on the instances to (re)started. It doesn't apply to any other resources used by those instances (optional or required).
To further condition by the presence of this tag, you would have to have similar statements for the other resources and corresponding actions that you want to condition.
Best,
Didier
@Paul Frederiksen I think my question was how does the policy apply for mandatory resources vs optional resources. Thanks for taking effort for answering
Thanks for the answer, But I want to debate on that. I dont think the resource for this authorization are only EC2 instances. There are many other resources that are mandatory as stated in the doc here -> https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html. Please also see the similar question raised in this question. https://repost.aws/questions/QUz3BdyHkKTxGQVvHOzGFjpw/need-clarification-for-an-iam-policy.