We have an AWS user, who should be able to Create different resources like Instances, Volumes and SecurityGroups but not modify resources that are not part of its project.
For this purpose we allow the creation of resources and let the user CreateTags his resources with a Project tag and a value of <user's team name here>. He should not be able to tag already tagged resources and so, not the resources of other teams. (Every single resource is properly tagged here).
I have created a policy with statement:
[...]
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"Null": {
"ec2:ResourceTag/Project": "true"
}
}
}
[...]
If I use the Policy Simulator by AWS, I am allowed to call CreateTags on a resource without a Project tag.
If I simulate it with setting a Project tag, the action is denied just as expected.
Unforunately, if I use the same actions from the AWS CLI with this policy, CreateTags is allowed every time. Even if the tag is already set and even on foreign instances the user should not be able to modify:
as user with mentioned policy
aws ec2 create-security-group --group-name "test-sg" --description "test" # creation of a new resource
(AWS answer){
"GroupId": "sg-4a3151aa"
}
.
aws ec2 create-tags --resources sg-4a31513c --tags Key=Project,Value=web-performance # this should work, ResourceTag Project is Null
(success)
aws ec2 create-tags --resources sg-4a31513c --tags Key=Project,Value=web-performance # should *not* work, ResourceTag Project is already set and not Null
(success)
As you can see, it works both times and it works also on foreign Projects where the tag is already set.
I also tried it with
"Condition": {
"StringNotLike": {
"ec2:ResourceTag/Project": "*"
}
}
This behaves exactly like the "Null" Condition, even in the Policy Simulator.
Do you have any ideas? Thanks in advance.
