EC2: Start or stop instances based on matching principal and resource tags - AWS Identity and Access Management

EC2: Start or stop instances based on matching principal and resource tags

This example shows how you might create an identity-based policy that allows a principal to start or stop an Amazon EC2 instance when the instance's resource tag and the principal's tag have the same value for the tag key CostCenter. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

Note

As a best practice, attach policies with the aws:PrincipalTag condition key to IAM groups, for the case where some users might have the specified tag and some might not.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "ec2:startInstances", "ec2:stopInstances" ], "Resource": "*", "Condition": {"StringEquals": {"aws:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}"}} } }