Please help me understand condition keys

Question

Dear Experts,

I am using below post as reference. If you look at the reference, i can clearly see multiple attributes (if they are called attributes) mentioned in the condition keys column, but the poster is saying 
"
At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource. The action "ModifyInstanceAttribute" does not support any resource level permissions or any condition keys.

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html
"

But i can clearly see options in the condition key column. What am i missing here?

Answer

I am struggling to see if this is even possible

Everything I have looked at myself, says you cant create an IAM policy that matches  DeleteOnTermination value of Modifyinstanceattribute

Answer

Hi,

`ec2:ModifyInstanceAttribute` **does support** the conditions stated in the link you posted. Here's also an example of a valid policy using conditions

```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "ec2:ModifyInstanceAttribute",
			"Resource": "arn:aws:ec2:*:111111111111:instance/*",
			"Condition": {
				"StringEqualsIfExists": {
					"aws:ResourceTag/example": "works"
				}
			}
		}
	]
}
```

Could you elaborate what you mean by
> the poster is saying " At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource.

Please help me understand condition keys

相关内容