How to give Tag based access to IAM user group in AWS?

This question is for AWS and I am looking for a cutom policy to be created. I have a group called IOT-grp and there are few instances, which are tagged as IOT (Key is Environment and Value is IOT). I am looking to fulfill two requirements.

1- I want to have policy created, which can allow any user, who is part of IOT group, should be able to start/stop/reboot only instances, which are marked as IOT.

2- Along with that, any user in IOT group should be able to terminate (only IOT instances) and create new instances (for IOT only). There are different security groups for IOT, Prod and QA instances.

Regards

1 answer

  • answered 2017-06-17 19:55 John Rotenstein

    Start by reading about Restricting users to tagged instances on Demystifying EC2 Resource-Level Permissions. It gives the example:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "TheseActionsSupportResourceLevelPermissionsWithInstancesAndTags",
                "Effect": "Allow",
                "Action": [
                    "ec2:TerminateInstances",
                    "ec2:StopInstances",
                    "ec2:StartInstances"],
                "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
                "Condition": {
                    "StringEquals": {"ec2:ResourceTag/Environment": "Prod"}
                }
            }
        ]
    }