ec2:ResourceTag/Name not working with IAM Policy

0

Hi,

My IAM Policy is as below but not work. I can modify security groups after removing "ec2:ResourceTag/Name".

aws ec2 modify-instance-attribute --instance-id  $INSTANCEID --groups $SGID --region ap-southeast-1

How to fix it?

        {
            "Sid": "AllowModifyDevOpsInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:ModifyInstanceAttribute"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": [
                        "DevOps*"
                    ]
                },
                "StringEquals": {
                    "aws:RequestedRegion": "ap-southeast-1"
                }
            }
        },
  • For background: What are you intending your policy to do?

  • I want this iam role can modify security groups

  • Hi Linda,

    Could you paste your aws cli exact output, please?

  • Hi Ercan,

    my command: aws ec2 modify-instance-attribute --instance-id $(curl -s http://169.254.169.254/latest/meta-data/instance-id) --groups sg-07xxxxxxxxxff sg-01xxxxxxxxxxxb4 --region ap-southeast-1

    Response: An error occurred (UnauthorizedOperation) when calling the ModifyInstanceAttribute operation: You are not authorized to perform this operation. Encoded authorization failure message: yi4-pN3H8UP_XN9V58g3tszKNQ2WG7NWzHDma4N3xmN3AmEUdJ2F-7di_0h0YDD3y5vk1tKYt8Z9WDlGH0yt1O4EdZUGyyjGgtzP3rPAfJrUPX2Khilm3sjVCzIoCYZU_xF2X9VEXwNxgMDPwgD37mRjdP5L-cOQytRP8FP6cya7hxS1aDJxfT1i7ZAxUiEnV0uKJshAEN-G3LSpEI6ULhFijNTMvSSnjqnD54muUv0fmJQgyH_PWyj_wDRLXmtu624_vATuugwl5Nrtafr2ch263GSMSeePTArNIr_W-Wz4NENpGnuJ7XpgDQbzFwqrUEJ_W6bvb55Ugjx4RQGv0g6vGax8gljHOACyzfZzxhVr1coQWpw_DUMpksy7Z_KrmG5oO8p0fq_3ddVtBzGWp7zHA0A3yZgZyMMs3byvc4hrotV2l6ZmG8vwUR5biWGp7bG0YUCZKH0RC3Cwc_MyeKOz4sSWd9bl08aC2MER_qoh4QrJa0PA8iBAIvFjetifoWFOdSWUXNnYwnoj-LyQ3EWadG-7T1Pvqd5b_22dDVDuK7LPNf7uGmhRVbH8R8NRnV0KZ1Ae2oLL-3muMlp0XA1NlED5ppNhcUgNpEf0LZG7JT7Ldv3WHwqScLmn8Llex28lZmxJi8soCdH_DwRzjTpUKWXRPqwd8HIKPkUQWTRzNKHwuw4

Linda
asked a year ago932 views
2 Answers
1

Hello, this IAM policy will only allow ec2:ModifyInstanceAttribute action on instances that have a tag key of Name and a tag value that starts with DevOps. It's not allowing the action on any SGs.

To fix it, you can add the ec2:ModifyInstanceSecurityGroups action to your policy's "Action" array:

"Action": [
    "ec2:ModifyInstanceAttribute",
    "ec2:ModifyInstanceSecurityGroups"
],
profile picture
answered a year ago
  • I will got the following error: "Invalid Action: The action ec2:ModifyInstanceSecurityGroups does not exist"

0

Here is the answer after 7 months! : ) The ec2:ModifyInstanceAttribute action does not support the ec2:ResourceTag/Name condition key. This is why your policy works when you remove the ec2:ResourceTag/Name condition.

AWS does not support using resource-level permissions with EC2 tags for the ec2:ModifyInstanceAttribute action. You can only specify the * wildcard for the Resource element of such statements, meaning that the action applies to all resources.

If you want to restrict the ec2:ModifyInstanceAttribute action to specific instances, you would need to do so indirectly. For example, you could create an IAM policy that allows users to run this action only if they are also allowed to start or stop the instances. Here's an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowStartStopOfDevOpsInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:ModifyInstanceAttribute"
            ],
            "Resource": "arn:aws:ec2:ap-southeast-1:123456789012:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "DevOps*"
                }
            }
        }
    ]
}

In this policy, the ec2:StartInstances and ec2:StopInstances actions support the ec2:ResourceTag/Name condition key, so they are restricted to instances with a Name tag that starts with DevOps. The ec2:ModifyInstanceAttribute action is allowed for all instances, but only if the user is also allowed to start or stop the instances.

Please note that this is a workaround and might not perfectly fit your use case. It's always a good idea to test IAM policies thoroughly to ensure they provide the desired level of access.

profile picture
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions