EC2: Start or stop instances based on matching principal and resource tags
This example shows how you might create an identity-based policy that allows a principal to start or stop an Amazon EC2 instance when the
instance's resource tag and the principal's tag have the same value for the tag key
CostCenter
. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the italicized placeholder text
in the example policy with your own information.
Then, follow the directions in create a policy or edit a policy.
Note
As a best practice, attach policies with the aws:PrincipalTag
condition
key to IAM groups, for the case where some users might have the specified tag and some
might not.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "ec2:startInstances", "ec2:stopInstances" ], "Resource": "*", "Condition": {"StringEquals": {"aws:ResourceTag/CostCenter": "${aws:PrincipalTag/
CostCenter
}"}} } }