Home / server / Questions / 723120
In Process
kenwarner
Asked: 2015-09-18 11:36:13 +0800 CST

Create an AWS IAM policy that only allows resources to be created within a certain resource group?

  • 772

In my AWS account we have 3 different applications, A, B, C.

I want to create an IAM policy for the B team that allows them to create new EC2 instances, but limit it to be tagged within the B resource group, or some other constraint that can definitively associate that new instance with the B group. Is that possible?

amazon-web-services

1 Answers

  1. Yes, this is absolutely possible with IAM, using the Condition element. The Condition element lets you build expressions in which you can use Boolean operators to match against a condition, which in your case will be a resource with a specific tag.

    For example, if you tag all the application B resources with "GroupB", the below IAM policy will restrict a user to being able to Start, Stop, and Reboot only EC2 resources that have that tag: 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances",      
        "ec2:RebootInstances"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/GroupB":"true"
        }
      },
      "Resource": [
        "arn:aws:ec2:your_region:your_account_ID:instance/*"
      ],
      "Effect": "Allow"
    }
  ]
}

    You can find more information on Resource Groups on the AWS "What Are Resource Groups" page.

    • 7