This document discusses limiting Amazon EC2 instance types that a user can start. It provides an example policy that attempts to limit starting an EC2 instance except for t2.* instance types. The policy would be created as a managed policy and attached to an IAM user. Then the expected behavior is demonstrated.
3. Limit Amazon EC2 instance types
Demo
• Goal: Limit a user from starting an instance unless the
instance is t2.*
• L
– Create a managed policy that attempts to limit starting an EC2
instance except for these instance types.
– Attach that policy to an IAM user.
6. What to expect from this session
Learn the policy language to control access to your
AWS resources
Understand the different types of policies, why to use
them, and how they work together
Get to know the tools available to help you with
policies
Become a policy ninja!
11. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
Principal
Action
Resource
Condition
12. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
Principal
Action
Resource
Condition
13. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
Principal
Action
Resource
Condition
14. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
Principal
Action
Resource
Condition
15. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
Principal
Action
Resource
Condition
16. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
Principal
Action
Resource
Condition
17. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Principal
Action
Resource
Condition
18. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Replace
with your
account
number
Principal
Action
Resource
Condition
19. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
Principal
Action
Resource
Condition
20. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
Principal
Action
Resource
Condition
21. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
Principal
Action
Resource
Condition
22. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
Principal
Action
Resource
Condition
23. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
Principal
Action
Resource
Condition
24. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<-- Wildcards (* or ?) in the action name. Below covers create/delete/list/update-->
"Action":"iam:*AccessKey*"
Principal
Action
Resource
Condition
25. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
Principal
Action
Resource
Condition
26. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
Principal
Action
Resource
Condition
27. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
Principal
Action
Resource
Condition
28. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
Principal
Action
Resource
Condition
29. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
Principal
Action
Resource
Condition
30. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
Principal
Action
Resource
Condition
31. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
Principal
Action
Resource
Condition
Replace
with your
account
number
33. Condition example
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition
34. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition
35. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
AND
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition
36. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition
37. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
Allows a user to access a resource under the following conditions:
• Anytime on Christmas day 2017 GMT from a source IP in the range
• The time is after 8 A.M. GMT on 12/25/2017 AND
• The time is before 8 A.M. GMT on 12/26/2017 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24
range
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition
38. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
Allows a user to access a resource under the following conditions:
• Anytime on Christmas day 2017 GMT from a source IP in the range
• The time is after 8 A.M. GMT on 12/25/2017 AND
• The time is before 8 A.M. GMT on 12/26/2017 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24
range
• A
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition
42. Policy enforcement
Decision
starts at Deny
1
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
43. Policy enforcement
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
44. Policy enforcement
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
45. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
• If a policy statement
has a Deny, it
trumps all other
policy statements
46. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
• If a policy statement
has a Deny, it
trumps all other
policy statements
47. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Final decision =“Allow”
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
• If a policy statement
has a Deny, it
trumps all other
policy statements
• Access is granted
if there is an
explicit Allow and
no Deny
48. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Final decision =“Allow”
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
No Final decision =“Deny”
(default Deny)
5
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
• If a policy statement
has a Deny, it
trumps all other
policy statements
• Access is granted
if there is an
explicit Allow and
no Deny
• By default, an
implicit (default)
Deny is returned
49. It’s not just IAM policies
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
S p e c i f i c A W S s e r v i c e s
R e s o u r c e - b a s e d p o l i c i e s
E x a m p l e : A m a z o n S 3 b u c k e t p o l i c i e s
A W S I d e n t i t y a n d A c c e s s M a n a g e m e n t
I n l i n e p o l i c i e s
M a n a g e d p o l i c i e s
A W S S e c u r i t y T o k e n S e r v i c e ( S T S )
S c o p e d - d o w n p o l i c i e s
All use the
same policy
language
52. When to use each type of permission policy
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
G u a r d r a i l s o n t h e a c c o u n t
t o d i s a b l e a c c e s s t o s e r v i c e s
53. When to use each type of permission policy
A W S I A M
I n l i n e p o l i c i e s
M a n a g e d p o l i c i e s
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
G u a r d r a i l s o n t h e a c c o u n t
t o d i s a b l e a c c e s s t o s e r v i c e s
S e t g r a n u l a r p e r m i s s i o n s
b a s e d o n f u n c t i o n s t h a t
u s e r s o r a p p l i c a t i o n s n e e d
t o p e r f o r m
54. When to use each type of permission policy
A W S I A M
I n l i n e p o l i c i e s
M a n a g e d p o l i c i e s
A W S S T S
S c o p e d - d o w n p o l i c i e s
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
G u a r d r a i l s o n t h e a c c o u n t
t o d i s a b l e a c c e s s t o s e r v i c e s
S e t g r a n u l a r p e r m i s s i o n s
b a s e d o n f u n c t i o n s t h a t
u s e r s o r a p p l i c a t i o n s n e e d
t o p e r f o r m
R e d u c e g e n e r a l s h a r e d
p e r m i s s i o n s f u r t h e r
55. When to use each type of permission policy
A W S I A M
I n l i n e p o l i c i e s
M a n a g e d p o l i c i e s
A W S S T S
S c o p e d - d o w n p o l i c i e s
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
S p e c i f i c A W S s e r v i c e s
R e s o u r c e - b a s e d p o l i c i e s
E x a m p l e : S 3 b u c k e t p o l i c i e s
G u a r d r a i l s o n t h e a c c o u n t
t o d i s a b l e a c c e s s t o s e r v i c e s
S e t g r a n u l a r p e r m i s s i o n s
b a s e d o n f u n c t i o n s t h a t
u s e r s o r a p p l i c a t i o n s n e e d
t o p e r f o r m
R e d u c e g e n e r a l s h a r e d
p e r m i s s i o n s f u r t h e r
C r o s s - a c c o u n t a c c e s s a n d
t o c o n t r o l a c c e s s f r o m t h e
r e s o u r c e
57. How they work together—for an account
Service
control
policies
Allow
S3:PutObject
58. How they work together—for an account
Service
control
policies
Allow
S3:PutObject
59. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Union
Allow
S3:PutObject
60. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Scoped-
down
policies
Union
Allow
S3:PutObject
61. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Scoped-
down
policies
Union
Allow
S3:PutObject
62. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Allow
S3:PutObject
63. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Union
Allow
S3:PutObject
64. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Union
Allow
S3:PutObject
Allow S3:PutObject
65. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Union
Does not allow
S3:PutObject
66. How they work together—across account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Union
Allow
S3:PutObject
Allow S3:PutObject
67. How they work together—across account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Allow
S3:PutObject
Allow S3:PutObject
68. How they work together—across account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Allow
S3:PutObject
Allow S3:PutObject
69. How they work together—across account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Allow
S3:PutObject
Allow S3:PutObject
Intersection
Allow
S3:PutObject
90. Recap
Review of IAM policy language
Review of how policies work together to control
access
Policy tools – Create, test, and correct policies
Policy Foo – Ninja moves with Amazon EC2
Additional resources
92. Policy tools – Visual policy editor
Point and click your way through granting permissions in AWS
Create and modify IAM policies
Select from a list of AWS services
Select from a list of available actions
Explore services and actions with inline documentation
Understand the resources you can specify for service actions
Select from a list of available conditions for actions you select
Easily include dependent actions required to perform tasks in AWS
Import existing policies and modify
97. Recap
Review of IAM policy language
Review of how policies work together to control
access
Policy tools – Create, test, and correct policies
Policy Foo – Ninja moves with EC2
Additional resources
98. Policy Foo – Access control with tags
Tags and EC2
99. Policy Foo – Access control with tags
Tags and EC2
Control how
users can add
tags
100. Policy Foo – Access control with tags
Tags and EC2
Control which
tags users can
create
Control how
users can add
tags
101. Policy Foo – Access control with tags
Tags and EC2
Control which
tags users can
create
Control which
resources users can
tag
Control how
users can add
tags
102. Policy Foo – Access control with tags
Tags and EC2
Control which
tags users can
create
Control which
resources users can
tag
Control how
users can add
tags
Control access
to resources
based on tags
103. Policy Foo – Access control with tags
Tags and EC2
Control which
tags users can
create
Control which
resources users can
tag
Control how
users can add
tags
Control access
to resources
based on tags
105. Permissions overview
Allow adding tags only during instance launch
Require specific tags with values at instance launch
Bonus: Allow modify and create specific tags and
resources
109. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
110. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
project=poker
name=vegas
111. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
project=poker
name=vegas
112. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
project=poker
name=vegas
project=slots
name=vegas
113. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
project=poker
name=vegas
project=slots
name=vegas