AWS EC2 IAM Conditions

1
votes

I'm attempting to update an IAM policy to restrict it to a single region but I have a syntax error that I can't seem to work out.

Here's the JSON for the policy:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "ec2:*"
         ],
         "Resource":[
            "*"
         ],
         "Effect":"Allow",
         "Condition":{
            "condition":{
               "StringEquals":{
                  "ec2:Region":"us-east-1"
               }
            }
         }
      }
   ]
}

It's the condition that's causing the issue but I can't quite seem to figure out where I've gone wrong. I've tried using the AWS IAM policy builder to generate it but it still gives me a syntax error when I try creating it via that so I'm guessing it's a syntax issue.

All I'm trying to do is restrict the policy to EC2 operations in us-east-1 only.

I'm using this command to upload it

aws iam put-group-policy  --group-name eastern-contractors --policy-document file://ec2.json --policy-name ec2

And I get the following response

A client error (MalformedPolicyDocument) occurred when calling the PutGroupPolicy operation: There are invalid conditions in this policy.

I've tried using similar answer on this site such as AWS IAM Permissions for EC2 – Controlling Access on Specific Instances with particular region but it doesn't seem to work.

1
amazon-web-servicesamazon-ec2amazon-iam

1 Answers

4
votes

Here is the working policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1410456206000",
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:Region": "us-east-1"
        }
      },
      "Resource": [
        "*"
      ]
    }
  ]
}

The nested "condition" was the issue.