How do I create an IAM policy that will control access to groups of 5-10 Amazon EC2 instances using tags?

You can control access to smaller deployments of EC2 instances (5-10 instances at a time) by doing the following:

  1. Add a specific tag to the instances you want to grant the users or groups access to.
  2. Create an IAM policy that grants access to any instances with the specific tag.
  3. Attach the IAM policy to the users or groups you want to access the instances.

Add a tag to your group of EC2 instances

Open the Amazon EC2 console and add tags to the group of EC2 instances that you want the users or groups to be able to access. If you don't have a tag already, create a new tag.

Note: Be sure to read and understand the Tag Restrictions before tagging your resources. EC2 tags are case-sensitive.

Create an IAM policy that grants access to instances with the specific tag

Create an IAM policy that does the following:

  • Allows control over the instances with the tag.
  • Contains a conditional statement that allows access to EC2 resources by matching values of ec2:ResourceTag/UserName tags and aws:username policy variables.
  • Allows access to the ec2:Describe* actions for EC2 resources.
  • Explicitly denies access to the ec2:CreateTags and ec2:DeleteTags actions to prevent users from creating or deleting tags.
    Note: This prevents the user from taking control of an EC2 instance by adding the specific tag to it.

For example, the finished policy should look similar to the following:

{
    "Version" : "2012-10-17",
        "Statement" :
    [
        {
            "Effect" : "Allow",
            "Action" : "ec2:*",
            "Resource" : "*",
            "Condition" : {
                "StringEquals" : {
                    "ec2:ResourceTag/UserName" : "${aws:username}"
                }
            }
        },
        {
            "Effect" : "Allow",
            "Action" : "ec2:Describe*",
            "Resource" : "*"
        },
        {
            "Effect" : "Deny",
            "Action" :
                [
                 "ec2:CreateTags",
                 "ec2:DeleteTags"
                ],
            "Resource" : "*"
        }        
    ]                                        
}

Attach the IAM policy to the users or groups you want to access the instances

Last, attach the IAM policy you created to the users or groups you want to access the instances. You can attach the IAM policy using the AWS Management Console, AWS CLI, or AWS API.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-10-12

Updated: 2018-07-19