0 down vote favorite I have created an IAM policy to deny creating EBS volumes if it is not tagged with both the keys "empname" and "team". The policy is attached to a test user.
When I try to create a volume with no tags defined, it throws error, which is fine. But now when I try to create a volume with any other tag (anything with dynamic value), it creates the volume, which is unexpected.
This is the created IAM policy for the same:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateTaggedVolumes",
"Effect": "Deny",
"Action": "ec2:CreateVolume",
"Resource": "arn:aws:ec2:us-east-1:axxxxxxxxxxx:volume/*",
"Condition": {
"ForAllValues:StringNotLike": {
"aws:RequestTag/empname": "*",
"aws:RequestTag/team": "*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"empname",
"team"
]
}
}
}
]
}
Is there anyway to restrict to create volume if and only if both these tags are used. It will be great if we can specify tag values to use as well.
There is a specific example of this in the AWS documentation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-manage-volumes-tags
It is based on an Allow rather than a Deny, and uses positive string matching rather than negative string matching. Is there any reason you want to use a Deny?
Using a Deny, you are saying:
If the user tries to create a volume, deny the action if (1) the tags "empname" and "team" are not included AND (2) if any tags specified are either "empname" or "team".
When you specify random tags, the first condition is satisfied, but the second one is not, so the Deny will not occur.
I think it would be much more logical and less confusing if you followed the AWS example and used Allow and positive string matching.
Otherwise, try changing the second condition to:
but I'm not actually sure if that would work.