Forbid IAM user to assume role with every tag, except defined ones

Question

Hi,

I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set `--tags` with value `root-EC2` (or in my case, everything **except** `support-EC2`) while using command `aws sts assume-role`, but how can i do it?

P.S im using `AWS session manager`

Joann

Accepted Answer

Okay, i suppose i found the answer myself, i probably need to add something like 
```
            "Condition": {
                "StringEquals": {
                    "iam:ResourceTag/SSMSessionRunAs": "${aws:username}"
                }
            }
```
to the "Trust relationship" in the Role. Then each user will need to provide exact the same Tag while assuming the role as their IAM username is, and by using this separation i can separate users in EC2 instance.

Forbid IAM user to assume role with every tag, except defined ones

相关内容