- Newest
- Most votes
- Most comments
Hello, this IAM policy will only allow ec2:ModifyInstanceAttribute action on instances that have a tag key of Name and a tag value that starts with DevOps. It's not allowing the action on any SGs.
To fix it, you can add the ec2:ModifyInstanceSecurityGroups action to your policy's "Action" array:
"Action": [
"ec2:ModifyInstanceAttribute",
"ec2:ModifyInstanceSecurityGroups"
],
I will got the following error: "Invalid Action: The action ec2:ModifyInstanceSecurityGroups does not exist"
Here is the answer after 7 months! : ) The ec2:ModifyInstanceAttribute action does not support the ec2:ResourceTag/Name condition key. This is why your policy works when you remove the ec2:ResourceTag/Name condition.
AWS does not support using resource-level permissions with EC2 tags for the ec2:ModifyInstanceAttribute action. You can only specify the * wildcard for the Resource element of such statements, meaning that the action applies to all resources.
If you want to restrict the ec2:ModifyInstanceAttribute action to specific instances, you would need to do so indirectly. For example, you could create an IAM policy that allows users to run this action only if they are also allowed to start or stop the instances. Here's an example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartStopOfDevOpsInstances",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:ModifyInstanceAttribute"
],
"Resource": "arn:aws:ec2:ap-southeast-1:123456789012:instance/*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "DevOps*"
}
}
}
]
}
In this policy, the ec2:StartInstances and ec2:StopInstances actions support the ec2:ResourceTag/Name condition key, so they are restricted to instances with a Name tag that starts with DevOps. The ec2:ModifyInstanceAttribute action is allowed for all instances, but only if the user is also allowed to start or stop the instances.
Please note that this is a workaround and might not perfectly fit your use case. It's always a good idea to test IAM policies thoroughly to ensure they provide the desired level of access.
Relevant content
- asked 10 months ago
- asked 9 months ago
- asked 9 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
For background: What are you intending your policy to do?
I want this iam role can modify security groups
Hi Linda,
Could you paste your aws cli exact output, please?
Hi Ercan,
my command: aws ec2 modify-instance-attribute --instance-id $(curl -s http://169.254.169.254/latest/meta-data/instance-id) --groups sg-07xxxxxxxxxff sg-01xxxxxxxxxxxb4 --region ap-southeast-1
Response: An error occurred (UnauthorizedOperation) when calling the ModifyInstanceAttribute operation: You are not authorized to perform this operation. Encoded authorization failure message: yi4-pN3H8UP_XN9V58g3tszKNQ2WG7NWzHDma4N3xmN3AmEUdJ2F-7di_0h0YDD3y5vk1tKYt8Z9WDlGH0yt1O4EdZUGyyjGgtzP3rPAfJrUPX2Khilm3sjVCzIoCYZU_xF2X9VEXwNxgMDPwgD37mRjdP5L-cOQytRP8FP6cya7hxS1aDJxfT1i7ZAxUiEnV0uKJshAEN-G3LSpEI6ULhFijNTMvSSnjqnD54muUv0fmJQgyH_PWyj_wDRLXmtu624_vATuugwl5Nrtafr2ch263GSMSeePTArNIr_W-Wz4NENpGnuJ7XpgDQbzFwqrUEJ_W6bvb55Ugjx4RQGv0g6vGax8gljHOACyzfZzxhVr1coQWpw_DUMpksy7Z_KrmG5oO8p0fq_3ddVtBzGWp7zHA0A3yZgZyMMs3byvc4hrotV2l6ZmG8vwUR5biWGp7bG0YUCZKH0RC3Cwc_MyeKOz4sSWd9bl08aC2MER_qoh4QrJa0PA8iBAIvFjetifoWFOdSWUXNnYwnoj-LyQ3EWadG-7T1Pvqd5b_22dDVDuK7LPNf7uGmhRVbH8R8NRnV0KZ1Ae2oLL-3muMlp0XA1NlED5ppNhcUgNpEf0LZG7JT7Ldv3WHwqScLmn8Llex28lZmxJi8soCdH_DwRzjTpUKWXRPqwd8HIKPkUQWTRzNKHwuw4