Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Forbid IAM user to assume role with every tag, except defined ones

0

Hi,

I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set --tags with value root-EC2 (or in my case, everything except support-EC2) while using command aws sts assume-role, but how can i do it?

P.S im using AWS session manager

Joann

Topics
Management & GovernanceComputeSecurity, Identity, & Compliance
Tags
Amazon EC2AWS Systems ManagerAWS Identity and Access ManagementSession Management
Language
English
asked 4 years ago479 views
1 Answer
0
Accepted Answer

Okay, i suppose i found the answer myself, i probably need to add something like

            "Condition": {
                "StringEquals": {
                    "iam:ResourceTag/SSMSessionRunAs": "${aws:username}"
                }
            }

to the "Trust relationship" in the Role. Then each user will need to provide exact the same Tag while assuming the role as their IAM username is, and by using this separation i can separate users in EC2 instance.

answered 4 years ago
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content