By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Please help me understand condition keys

0

Dear Experts,

I am using below post as reference. If you look at the reference, i can clearly see multiple attributes (if they are called attributes) mentioned in the condition keys column, but the poster is saying " At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource. The action "ModifyInstanceAttribute" does not support any resource level permissions or any condition keys.

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html "

But i can clearly see options in the condition key column. What am i missing here?

asked a year ago294 views
2 Answers
0

Hi,

ec2:ModifyInstanceAttribute does support the conditions stated in the link you posted. Here's also an example of a valid policy using conditions

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "ec2:ModifyInstanceAttribute",
			"Resource": "arn:aws:ec2:*:111111111111:instance/*",
			"Condition": {
				"StringEqualsIfExists": {
					"aws:ResourceTag/example": "works"
				}
			}
		}
	]
}

Could you elaborate what you mean by

the poster is saying " At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource.

profile pictureAWS
EXPERT
answered a year ago
0

I am struggling to see if this is even possible

Everything I have looked at myself, says you cant create an IAM policy that matches DeleteOnTermination value of Modifyinstanceattribute

profile picture
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions