By using AWS re:Post, you agree to the Terms of Use

Forbid IAM user to assume role with every tag, except defined ones



I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set --tags with value root-EC2 (or in my case, everything except support-EC2) while using command aws sts assume-role, but how can i do it?

P.S im using AWS session manager


1 Answer
Accepted Answer

Okay, i suppose i found the answer myself, i probably need to add something like

            "Condition": {
                "StringEquals": {
                    "iam:ResourceTag/SSMSessionRunAs": "${aws:username}"

to the "Trust relationship" in the Role. Then each user will need to provide exact the same Tag while assuming the role as their IAM username is, and by using this separation i can separate users in EC2 instance.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions