1 Answer
- Newest
- Most votes
- Most comments
0
That article should be fine, though it's a bit confusing! As it says, "Note: Modify key1 and value1 in the example policies to include the tags and values that apply to your resources". So are you using their examples with "key1" replaced by "UserID"?
Since your tag is "UserID" I'm guessing you want to make sure any instance created has this tag key, but you don't care about the specific value. So the section "Launch EC2 instances that have at least one matching tag key" is what you're after? If so, e.g.:
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"UserID"
]
}
}
Relevant content
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi,
Tried with changes mentioned above still able to create instances without tag
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDescribeAll", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "" }, { "Sid": "AllowRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:::image/", "arn:aws:ec2:::snapshot/", "arn:aws:ec2:::subnet/", "arn:aws:ec2:::network-interface/", "arn:aws:ec2:::security-group/", "arn:aws:ec2:::key-pair/" ] }, { "Sid": "AllowRunInstancesWithRestrictions", "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:::volume/", "arn:aws:ec2:::instance/", "arn:aws:ec2:::network-interface/" ], "Condition": { "StringEquals": { "aws:RequestTag/key1": "value1", "aws:RequestTag/key2": "value2" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "key1", "