Controlling access to EC2 resources using resource tags - Amazon Elastic Compute Cloud

Controlling access to EC2 resources using resource tags

When you create an IAM policy that grants IAM users permission to use EC2 resources, you can include tag information in the Condition element of the policy to control access based on tags. This gives you better control over which EC2 resources a user can modify, use, or delete.

For example, you can create a policy that allows users to terminate an instance but denies the action if the instance has the tag environment=production. To do this, you use the ec2:ResourceTag condition key to allow or deny access to the resource based on the tags that are attached to the resource.

"StringEquals": { "ec2:ResourceTag/environment": "production" }

To learn whether an Amazon EC2 API action supports controlling access using the ec2:ResourceTag condition key, see Actions, Resources, and Condition Keys for Amazon EC2 in the IAM User Guide. Note that the Describe actions do not support resource-level permissions, and therefore you must specify them in a separate statement without conditions.

For example IAM policies, see Example policies for working with the AWS CLI or an AWS SDK.

Note

If you allow or deny users access to resources based on tags, you must consider explicitly denying users the ability to add those tags to or remove them from the same resources. Otherwise, it's possible for a user to circumvent your restrictions and gain access to a resource by modifying its tags.