How to restrict user to modify instance (ec2:ModifyInstanceAttribute)



How can I restrict users to modify instances based on tags?

"ec2:ModifyInstanceAttribute" doesn't support condition key "ec2:ResourceTag". It seems no solution to this question? To be honest, it totally makes NO sense to me that "ec2:ModifyInstanceAttribute" doesn't support "ec2:ResourceTag". Why?

Now the users are free to modify any of the instances. What I want to do is allow users to only modify some of the instances, based on whatever attributes (like tag which doesn't work though).

Do I miss anything? Any advice is appreciated.

asked 5 years ago1111 views
2 Answers


At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource. The action "ModifyInstanceAttribute" does not support any resource level permissions or any condition keys.

I completely agree with you that this is a valid use case and these actions should support resource level permissions and conditions. This feature is requested by other customers as well and is a popular feature request. We are actively working on your feedback to address the issues listed in your post.

You can keep an eye on our blog[1] and news websites[2] for updates.

Thanks for bringing this to our attention. Have a nice day :)

answered 5 years ago

To restrict instance type change, uses the ec2:attribute service condition key as shown in the example below:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Deny",
            "Action": "ec2:ModifyInstanceAttribute",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringNotLike": {
                    "ec2:Attribute/InstanceType": [


[1]: ec2:Attribute condition key

[2]: Multivalued context keys

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions