Forbid IAM user to assume role with every tag, except defined ones
0
Hi,
I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set --tags with value root-EC2 (or in my case, everything except support-EC2) while using command aws sts assume-role, but how can i do it?
P.S im using AWS session manager
Joann
1 Answers
0
Accepted Answer
Okay, i suppose i found the answer myself, i probably need to add something like
"Condition": {
"StringEquals": {
"iam:ResourceTag/SSMSessionRunAs": "${aws:username}"
}
}to the "Trust relationship" in the Role. Then each user will need to provide exact the same Tag while assuming the role as their IAM username is, and by using this separation i can separate users in EC2 instance.
Joann Babak
answered 5 days ago
Relevant questions
Forbid IAM user to assume role with every tag, except defined ones
Accepted AnswerJoann Babakasked 6 days agoShould I create IAM role to allow AWS service send events to my default bus
yukonasked a year agocan't view dynamodb table from EC2 ssh session
AWS-User-0596575asked 4 months agoLimit which IAM roles can be attached to an EC2 instance by different IAM users
AWS-User-7869536asked 5 months agoAccess Denied error when using Lambda IAM role to access Amazon RDS for MySQL
Accepted AnswerAbhiasked 2 years agoHow can you restrict EC2 instances to assuming an IAM role based on the instance's tags?
derelkasked 4 months agoIAM Policy that allows only access to "Switch Role"
Bicchiasked 19 days agoSpecify Individual Instance In Trust Policy Of IAM Role
AWS-User-1977876asked 17 days agodetails of IAM role which is attached to ec2 instances with cloudshell
Accepted AnswerAWS-User-6176623asked 2 months agoRoles - changing tag depending on user assuming the role
Accepted AnswerJoann Babakasked 7 days ago
$PSStyle.OutputRendering = 'PlainText'