I need to share an education grant with a bunch of students. I've read up on IAM, but I can't figure out how to configure the group so that students can launch and control instances/security groups without allowing them to mess up my personal work.
I've got this configuration, which I read as "allow anything if the instance is not tagged False for Student".
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1385328762000",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:ResourceTag/Student": "False"
}
}
}
]
}
This seems to do nothing based on the tag 'Student'. I've also tried two policies, one being an allow all on ec2 and one being a deny all if the tag Student is False, as shown below. This allows me to be the one that needs to remember to tag my stuff, and students can do whatever. Again, it does not seem to matter, the student accounts I test with can see anything they want, the allow all policy supersedes the deny if tagged policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1385328762000",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt138235328000",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Student": "False"
}
}
}
]
}