IAM policy for controlling EC2 with specific tags
Let users manage only the EC2 instances they own
Currently, EC2:DESCRIBE* IAM actions ‘does not support resource-level permissions’, which makes it difficult to have a ‘filter on ec2 instances based on who created them’.
(see : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html)
However, we can prevent users from terminating, stoping or starting EC2 which are not tagged to them. (See IAM policy below)
Step 1 : Use the approach described in this blog post to achieve something similar to what you are looking for : (tagging instances at start up)
(See : https://blogs.aws.amazon.com/net/post/Tx2CCTE5QGSFDUW/Tagging-Amazon-EC2-Instances-at-Launch)
Step 2 : limiting access on who can stop/terminate/start the instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtAllowDescribeOnEC2",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowModifyForEc2OwnerTagOnly",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:ap-southeast-1:1234567890:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/ec2_owner": "${aws:username}"
}
}
}
]
} Here ec2_owner is the name of the tag that has to be mandated when the instance is created either via EC2 management APIs / CLI.
Or, you can be a bit more strict and write a logic inside the ec2 instance which checks ‘do I have a ec2_owner tag on me ? - If ‘No’ then terminate myself.