How to restrict user to modify instance (ec2:ModifyInstanceAttribute)

0

Hi,

How can I restrict users to modify instances based on tags?

"ec2:ModifyInstanceAttribute" doesn't support condition key "ec2:ResourceTag". It seems no solution to this question? To be honest, it totally makes NO sense to me that "ec2:ModifyInstanceAttribute" doesn't support "ec2:ResourceTag". Why?

Now the users are free to modify any of the instances. What I want to do is allow users to only modify some of the instances, based on whatever attributes (like tag which doesn't work though).

Do I miss anything? Any advice is appreciated.

ckyaws
asked 5 years ago1111 views
2 Answers
1

Hello,

At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource. The action "ModifyInstanceAttribute" does not support any resource level permissions or any condition keys.

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html

I completely agree with you that this is a valid use case and these actions should support resource level permissions and conditions. This feature is requested by other customers as well and is a popular feature request. We are actively working on your feedback to address the issues listed in your post.

You can keep an eye on our blog[1] and news websites[2] for updates.
[1] http://aws.amazon.com/blogs/aws/
[2] http://aws.amazon.com/new/

Thanks for bringing this to our attention. Have a nice day :)

answered 5 years ago
0

To restrict instance type change, uses the ec2:attribute service condition key as shown in the example below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ec2:ModifyInstanceAttribute",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringNotLike": {
                    "ec2:Attribute/InstanceType": [
                        "t3.*"
                    ]
                }
            }
        }
    ]
}

References:

[1]: ec2:Attribute condition key https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#attribute-key

[2]: Multivalued context keys https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-key

AWS
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions