- Newest
- Most votes
- Most comments
Hello,
At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource. The action "ModifyInstanceAttribute" does not support any resource level permissions or any condition keys.
https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html
I completely agree with you that this is a valid use case and these actions should support resource level permissions and conditions. This feature is requested by other customers as well and is a popular feature request. We are actively working on your feedback to address the issues listed in your post.
You can keep an eye on our blog[1] and news websites[2] for updates.
[1] http://aws.amazon.com/blogs/aws/
[2] http://aws.amazon.com/new/
Thanks for bringing this to our attention. Have a nice day :)
Hi,
I have similar requirement. I am looking to restrict to be not able to change the Instance type to anything else that is not allowed in the IAM policy. Please let me know if there is any solution currently available to implement this?
Would like to restrict the user to change the instance type based on the condition below. Right now the users will be able to change the instance type to anything once they are able to create the instance with the allowed types.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1624884618883",
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.micro",
" t3",
"micro",
" t3.nano"
]
}
}
}
]
Edited by: SukumarEnuguri on Jun 28, 2021 5:46 AM
To restrict instance type change, uses the ec2:attribute service condition key as shown in the example below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:ModifyInstanceAttribute",
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:Attribute/InstanceType": [
"t3.*"
]
}
}
}
]
}
References:
[1]: ec2:Attribute condition key https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#attribute-key
[2]: Multivalued context keys https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-key
Relevant content
- asked a year ago
- asked 2 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago