I am trying to setup an EC2 role to allow an instance to join a domain using the New-SSMAssociation powershell cmdlet. Does anyone know what the minimum permissions required to accomplish this are?
I've read the article here https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-dx-domain/ but the AmazonEC2RoleforSSM is being deprecated in favor of the AmazonSSMManagedInstanceCore policy however when using that policy in combination with the AmazonSSMDirectoryServiceAccess policy I get an error:
New-SSMAssociation : User: arn:aws:sts:::assumed-role/MyEC2Role/ is not
authorized to perform: ssm:CreateAssociation on resource:
arn:aws:ec2:us-east-1::instance/
The only way I have been able to get it to work is with ssm:*, however I would prefer not to do that if possible. The combined policy I am using is(without the ssm:*):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:CreateAssociation"
],
"Resource": "arn:aws:ssm:<region>:<account-id>:document/JoinDomain"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
The appoach that worked in our environment.
Create a IAM Role that has
"Statement": [
{
"Sid": "SSMDocument",
"Effect": "Allow",
"Action": [
"ssm:CreateAssociation"
],
"Resource": [
"arn:aws:ec2:${AWS_REGION}:${AWS_ACCOUNT}:instance/*",
"arn:aws:ssm:${AWS_REGION}:${AWS_ACCOUNT}:document/${SSM_DOCUMENT_NAME}"
]
}
]
plus the pre-defined policies AmazonSSMDirectoryServiceAccess and AmazonSSMManagedInstanceCore
userdata as follows:
<powershell>
[Environment]::SetEnvironmentVariable("ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE", "true", "Machine")
[Environment]::SetEnvironmentVariable("ECS_ENABLE_CONTAINER_METADATA", "true", "Machine")
Import-Module ECSTools
Initialize-ECSAgent -Cluster '${ECS_CLUSTER_NAME}' -EnableTaskIAMRole
Set-DefaultAWSRegion -Region ${AWS_REGION}
Set-Variable -name instance_id -value (Invoke-Restmethod -uri http://169.254.169.254/latest/meta-data/instance-id)
New-SSMAssociation -Name "${SSM_DOCUMENT_NAME}" -Target #{Key="instanceids";Values=#($instance_id)}
</powershell>
terraform code fragment for SSM Document
data "aws_directory_service_directory" "domain_controller" {
directory_id = var.directory_id
}
data "template_file" "userdata" {
template = file("${path.module}/files/userdata.ps1")
vars = {
SSM_DOCUMENT_NAME = aws_ssm_document.ad_join_domain.name
AWS_REGION = var.region
ECS_CLUSTER_NAME = local.cluster_name
}
}
resource "aws_ssm_document" "ad_join_domain" {
name = "${var.environment}-ad-join-domain"
document_type = "Command"
content = jsonencode(
{
"schemaVersion" = "2.2"
"description" = "join aws directory services domain"
"mainSteps" = [
{
"action" = "aws:domainJoin",
"name" = "domainJoin",
"inputs" = {
"directoryId" : data.aws_directory_service_directory.domain_controller.id,
"directoryName" : data.aws_directory_service_directory.domain_controller.name
"dnsIpAddresses" : sort(data.aws_directory_service_directory.domain_controller.dns_ip_addresses)
}
}
]
}
)
tags = {
environment = var.environment
}
}
Related
I am trying to implement an AWS tagging policy at the AWS Organization level.
This will cover many AWS services but the immediate issue is related to EC2.
This policy results in an error when I try to use the AWS CLI command : ec2 run-instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourceCreationSCP",
"Effect": "Deny",
"Action": [
"ec2:Create*",
"ec2:Run*",
"elasticfilesystem:Create*",
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
}
]
}
However this policy succeeds.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourceCreationSCP",
"Effect": "Deny",
"Action": [
"ec2:Create*",
"elasticfilesystem:Create*",
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
},
{
"Sid": "DenyResourceCreationSCPEC2",
"Effect": "Deny",
"Action": [
"ec2:RunInstance"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
}
]
}
Can someone explain please why the resource condition for "*" full wildcard does not work for ECS2 RunInstance?
Why does the volume,instance,security-group-network-interface resource type need to be explicit?
Thanks
I'm trying to create a job in AWS Glue using the Windows AWS Client and I'm receiving that I'm not authorized to perform: iam:PassRole as you can see:
Console>aws glue create-job --name "aws_glue_test" --role "My_Role" --command "Name=glueetlpythonshell,ScriptLocation=s3://mys3bucket/jobs/aws_glue_test.py,PythonVersion=3"
An error occurred (AccessDeniedException) when calling the CreateJob operation: User: arn:aws:iam::1111:user/My_User is not authorized to perform: iam:PassRole on resource: arn:aws:iam::1111:role/My_Role because no identity-based policy allows the iam:PassRole action
The configuration in AWS is set by using Terraform, something like this:
resource "aws_s3_bucket" "mys3bucket" {
bucket = "mys3bucket"
tags = {
Name = "mys3bucket"
ITOwnerEmail = "my#email.com"
}
}
resource "aws_s3_bucket_acl" "mys3bucket_acl" {
bucket = aws_s3_bucket.mys3bucket.id
acl = "private"
}
#=========IAM user======#
resource "aws_iam_user" "My_User" {
name = "My_User "
path = "/"
}
resource "aws_iam_user_policy" "My_User-p" {
name = "My_User-p"
user = "My_User"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mys3bucket"
},
{
"Action": "glue:*",
"Effect": "Allow",
"Resource": "*"
},
#-- THIS IS THE SOLUTION -- #
{
"Action":[
"iam:GetRole",
"iam:PassRole"
],
"Effect":"Allow",
"Resource": "*"
}
]
}
EOF
}
#===========S3-Bucket-policy=======#
resource "aws_s3_bucket_policy" "mys3bucket-p" {
bucket = aws_s3_bucket.mys3bucket.id
policy = <<POLICY
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111:user/My_User"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mys3bucket/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111:user/My_User"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mys3bucket"
}
]
}
POLICY
}
#===========Glue-policy=======#
resource "aws_iam_role" "My_Role" {
name = "My_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"glue.amazonaws.com"
]
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
### Attach policy to above Role ###
resource "aws_iam_role_policy_attachment" "My_Role_GlueService_attach" {
role = aws_iam_role.My_Role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
}
#===========IAM-Pass-Role=======#
resource "aws_iam_policy" "My_IAMPass_policy" {
name = "My_IAMPass_policy"
description = "IAM Pass Role Policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::1111:role/My_Role"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "My_IAMPass_attach" {
role = aws_iam_role.My_Role.name
policy_arn = aws_iam_policy.My_IAMPass_policy.arn
}
I tried to attach IAM Pass Role but it still failing and I don't know why.
Any help is welcomed. Thank you in advance
SOLUTION: Added in the Code.
You need to add iam:PassRole action to the policy of the IAM user that is being used to create-job. Something like:
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::1111:role/My_Role"
],
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com"
]
}
}
}
I want to add source_account in lambda resource-based policy condition. So I am executing below terraform code.
data "aws_caller_identity" "current" {
# Retrieves information about the AWS account corresponding to the
# access key being used to run Terraform, which we need to populate
# the "source_account" on the permission resource.
}
resource "aws_lambda_permission" "example" {
statement_id = "AllowExecutionFromS3Bucket"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.example.arn}"
principal = "s3.amazonaws.com"
source_account = "${data.aws_caller_identity.current.account_id}"
source_arn = "${aws_s3_bucket.example.arn}"
}
after applying terraform changes and doing plan I am unable to get (this is desired but not getting for S3)
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "lambda-8433be2d-00f7-48dc-9296-7c432662f91e",
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:xxxxxxxxxxxx:function:yyyyyyyyyyyy",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "xxxxxxxxxxxx"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:logs:us-east-1:xxxxxxxxxxxx:log-group:/aws/lambda/lambda_handler:*"
}
}
}
]
}
I have tried many ways I am not getting any clue.
afer doing terraform plan i am getting below output :
module.environment.aws_lambda_permission.xxxxxxxxxxxx: Creating...
action: "" => "lambda:InvokeFunction"
function_name: "" => "arn:aws:lambda:us-east-1:yyyyyyyyyyyyyy:function:xxxxxxxxxxxx"
principal: "" => "s3.amazonaws.com"
source_arn: "" => "arn:aws:s3:::xxxxxxxxxxxx"
statement_id: "" => "AllowExecutionFromS3Bucket"
I am getting like this :
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowExecutionFromS3Bucket",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:yyyyyyyyyy:function:xxxxxxxxxx",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::xxxxxxxxxx"
}
}
}
]
}
I am able to add conditions using AWS CLI .
I am not using the root account. Someone please help me.
You just need to add source_account
resource "aws_lambda_permission" "allow_bucket" {
statement_id = "AllowExecutionFromS3Bucket"
action = "lambda:InvokeFunction"
function_name = "arn:aws:lambda:us-east-1:123456789123:function:mylambda"
principal = "s3.amazonaws.com"
source_account = "123456789123"
source_arn = "arn:aws:s3:::my-bucket"
}
will create
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowExecutionFromS3Bucket",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789123:function:mylambda",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456789123"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::my-bucket"
}
}
}
]
}
I'm trying to create a pipeline to deploy on Beanstalk but I constantly get an error in the deploy section of the pipeline:
Insufficient permissions
The provided role does not have sufficient permissions to access
Elastic Beanstalk: Access Denied
What am I missing?
/************************************************
* Code Build
***********************************************/
resource "aws_codebuild_project" "project-name-codebuild" {
name = "${var.project}-codebuild"
build_timeout = "15"
service_role = "${aws_iam_role.project-name-codebuild-role.arn}"
artifacts {
type = "CODEPIPELINE"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
type = "LINUX_CONTAINER"
image = "aws/codebuild/java:openjdk-8"
}
source {
type = "CODEPIPELINE"
}
tags {
Name = "${var.project}"
Environment = "${var.environment}"
}
}
resource "aws_ecr_repository" "project-name-ecr-repository" {
name = "${var.project}-ecr-repository"
}
resource "aws_iam_role" "project-name-codebuild-role" {
name = "${var.project}-codebuild-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "project-name-codebuild-role-policy" {
role = "${aws_iam_role.project-name-codebuild-role.id}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "project-name-codebuild-role-policy-bucket" {
policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
role = "${aws_iam_role.project-name-codebuild-role.name}"
}
/************************************************
* Code Pipeline
***********************************************/
resource "aws_codepipeline" "project-name-code-pipeline" {
name = "${var.project}-code-pipeline"
role_arn = "${aws_iam_role.project-name-code-pipeline-role.arn}"
artifact_store {
location = "${aws_s3_bucket.project-name-code-pipeline-bucket.bucket}"
type = "S3"
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
version = "1"
output_artifacts = [
"source"]
configuration {
Owner = "Owner"
Repo = "project-name"
Branch = "master"
OAuthToken = "${var.github-token}"
}
}
}
stage {
name = "Build-Everything"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = [
"source"]
output_artifacts = [
"build"]
version = "1"
configuration {
ProjectName = "${aws_codebuild_project.project-name-codebuild.name}"
}
}
}
stage {
name = "Deploy"
action {
name = "Deploy"
category = "Deploy"
owner = "AWS"
provider = "ElasticBeanstalk"
input_artifacts = [
"build"]
version = "1"
configuration {
ApplicationName = "${aws_elastic_beanstalk_application.project-name.name}"
EnvironmentName = "${aws_elastic_beanstalk_environment.project-name-environment.name}"
}
}
}
}
resource "aws_s3_bucket" "project-name-code-pipeline-bucket" {
bucket = "${var.project}-code-pipeline-bucket"
acl = "private"
}
resource "aws_iam_policy" "project-name-code-pipeline-bucket-access" {
name = "${var.project}-code-pipeline-bucket-access"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Resource": [
"${aws_s3_bucket.project-name-code-pipeline-bucket.arn}",
"${aws_s3_bucket.project-name-code-pipeline-bucket.arn}/*"
],
"Action": [
"s3:CreateBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:PutObject"
]
}
]
}
POLICY
}
resource "aws_iam_role" "project-name-code-pipeline-role" {
name = "${var.project}-code-pipeline-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codepipeline.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "project-name-code-pipeline-role-policy" {
name = "${var.project}-code-pipeline-role-policy"
role = "${aws_iam_role.project-name-code-pipeline-role.id}"
policy = <<EOF
{
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::codepipeline*",
"arn:aws:s3:::elasticbeanstalk*"
],
"Effect": "Allow"
},
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:UpdateEnvironment",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses",
"cloudformation:GetTemplate",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeAddresses",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs",
"elasticloadbalancing:DescribeLoadBalancers",
"rds:DescribeDBInstances",
"rds:DescribeOrderableDBInstanceOptions",
"sns:ListSubscriptionsByTopic"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:invokefunction",
"lambda:listfunctions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetObjectAcl",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::elasticbeanstalk*",
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
EOF
}
resource "aws_iam_role_policy_attachment" "project-name-code-pipeline-role-policy-attachment" {
policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
role = "${aws_iam_role.project-name-code-pipeline-role.name}"
}
Came across the same problem,
the issue is that you need to enable s3 access to "arn:aws:s3:::elasticbeanstalk*"
Agree that error message is kind of obscure
I would suggest checking these things to debug:
Did the template create the resources you were expecting?
Does the pipeline role have the right policy attached to it? You can run aws codepipeline get-pipeline to get the pipeline's ARN, and use the IAM console to check that the policy is what you expect.
Are you missing some elastic beanstalk permissions in the policy? I'm not sure you are, but try to change the policy to "elasticbeanstalk:*".
Try to assume the pipeline's role in the console, and try to deploy the elastic beanstalk instance, see if you get any more detailed information from the elastic beanstalk console.
This is the policy I was trying to allow creation of instances only when it has tags costcenter and dept with values 115 and prod .but when I test it the instance getting created even with out these tags
{
"Sid": "AllowTaggedInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:729964090428:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/costcenter": "115",
"aws:RequestTag/dept": "prod"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"costcenter",
"dept"
]
}
}
},
The policy that you showed, does not have enough permissions to create an instance. This means that you have another policy or role that is overriding this one.
In your policy replace the word "RequestTag" with "ResourceTag".
Note: The best policies using conditions do not use "allow if this" but instead use "deny if NOT this". A deny will override all allows.
Here is a link to help you with ResourceTags:
EC2 Resource Tags
Your policy is not enough permission and policies to restrict.
If you want to allow user to create new instance with tags costcenter:115 and dept:prod, try below policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:region::image/*",
"arn:aws:ec2:region:account:subnet/*",
"arn:aws:ec2:region:account:network-interface/*",
"arn:aws:ec2:region:account:security-group/*",
"arn:aws:ec2:region:account:key-pair/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/costcenter": "115",
"aws:RequestTag/dept": "prod"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"costcenter",
"dept"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:region:account:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}