By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Forbid IAM user to assume role with every tag, except defined ones

0

Hi,

I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set --tags with value root-EC2 (or in my case, everything except support-EC2) while using command aws sts assume-role, but how can i do it?

P.S im using AWS session manager

Joann

Topics
Security, Identity, & ComplianceComputeManagement & Governance
Tags
AWS Identity and Access ManagementAmazon EC2AWS Systems ManagerSession Management
Language
English
Joann Babak
asked 2 years ago287 views
1 Answer
0
Accepted Answer

Okay, i suppose i found the answer myself, i probably need to add something like

            "Condition": {
                "StringEquals": {
                    "iam:ResourceTag/SSMSessionRunAs": "${aws:username}"
                }
            }

to the "Trust relationship" in the Role. Then each user will need to provide exact the same Tag while assuming the role as their IAM username is, and by using this separation i can separate users in EC2 instance.

Joann Babak
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content