We have an AWS user, who should be able to
Create different resources like
SecurityGroups but not modify resources that are not part of its project.
For this purpose we allow the creation of resources and let the user
CreateTags his resources with a
Project tag and a value of
<user's team name here>. He should not be able to tag already tagged resources and so, not the resources of other teams. (Every single resource is properly tagged here).
I have created a policy with statement:
If I use the Policy Simulator by AWS, I am allowed to call
CreateTags on a resource without a
If I simulate it with setting a
Project tag, the action is denied just as expected.
Unforunately, if I use the same actions from the AWS CLI with this policy,
CreateTags is allowed every time. Even if the tag is already set and even on foreign instances the user should not be able to modify:
as user with mentioned policy
aws ec2 create-security-group --group-name "test-sg" --description "test" # creation of a new resource
aws ec2 create-tags --resources sg-4a31513c --tags Key=Project,Value=web-performance # this should work, ResourceTag Project is Null
aws ec2 create-tags --resources sg-4a31513c --tags Key=Project,Value=web-performance # should *not* work, ResourceTag Project is already set and not Null
As you can see, it works both times and it works also on foreign Projects where the tag is already set.
I also tried it with
This behaves exactly like the "Null" Condition, even in the Policy Simulator.
Do you have any ideas? Thanks in advance.
Amazon EC2 has partial support for resource-level permissions. At the time of writing, the CreateTags action does not support resource-level permissions. You can see the list of actions that support resource-level permissions here.
You can verify this by changing your policy to specify StopInstances (which supports resource-level permissions) in place of CreateTags. Your IAM user will only be able to stop an EC2 instance if the instance does not have a Project tag. Alternatively, if you change the Null condition to false, then the IAM user will only be able to stop an EC2 instance if the instance does have a Project tag.
So, your policy will presumably be correct at some point in the future, when CreateTags supports resource-level permissions.