By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to restrict user to modify instance (ec2:ModifyInstanceAttribute)

0

Hi,

How can I restrict users to modify instances based on tags?

"ec2:ModifyInstanceAttribute" doesn't support condition key "ec2:ResourceTag". It seems no solution to this question? To be honest, it totally makes NO sense to me that "ec2:ModifyInstanceAttribute" doesn't support "ec2:ResourceTag". Why?

Now the users are free to modify any of the instances. What I want to do is allow users to only modify some of the instances, based on whatever attributes (like tag which doesn't work though).

Do I miss anything? Any advice is appreciated.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
ckyaws
asked 5 years ago1008 views
3 Answers
1

Hello,

At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource. The action "ModifyInstanceAttribute" does not support any resource level permissions or any condition keys.

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html

I completely agree with you that this is a valid use case and these actions should support resource level permissions and conditions. This feature is requested by other customers as well and is a popular feature request. We are actively working on your feedback to address the issues listed in your post.

You can keep an eye on our blog[1] and news websites[2] for updates.
[1] http://aws.amazon.com/blogs/aws/
[2] http://aws.amazon.com/new/

Thanks for bringing this to our attention. Have a nice day :)

AWS-User-5718909
answered 5 years ago
0

Hi,
I have similar requirement. I am looking to restrict to be not able to change the Instance type to anything else that is not allowed in the IAM policy. Please let me know if there is any solution currently available to implement this?

Would like to restrict the user to change the instance type based on the condition below. Right now the users will be able to change the instance type to anything once they are able to create the instance with the allowed types.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1624884618883",
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.micro",
" t3",
"micro",
" t3.nano"
]
}
}
}
]

Edited by: SukumarEnuguri on Jun 28, 2021 5:46 AM

SukumarEnuguri
answered 3 years ago
0

To restrict instance type change, uses the ec2:attribute service condition key as shown in the example below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ec2:ModifyInstanceAttribute",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringNotLike": {
                    "ec2:Attribute/InstanceType": [
                        "t3.*"
                    ]
                }
            }
        }
    ]
}

References:

[1]: ec2:Attribute condition key https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#attribute-key

[2]: Multivalued context keys https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-key

AWS
rePost-User-3896937
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content