1

I am trying to limit ssh access to ec2 instances by using a resource tag condition in my instance connect policy. So basically I have something like that:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "ec2-instance-connect:SendSSHPublicKey",
        "Resource": "arn:aws:ec2:*:*:instance/*",,
        "Condition": {
            "StringEquals": {"ec2:ResourceTag/Squad": "blah"}
        }
      },
      {
        "Effect": "Allow",
        "Action": "ec2:DescribeInstances",
        "Resource": "*"
      }
    ]
}

However, that seems it doesn't work. Isn't instance connect able to use the ec2:ResourceTag condition? I have seen it working with a condition like ec2:osuser, so I am wondering if there is a limitation or I'm doing something wrong.

Cobra Kai Dojo
  • 1,018
  • 2
  • 12
  • 25
  • did you solve this? – Leo Gallucci Feb 12 '21 at 21:42
  • @LeoGallucci unfortunately no. It seems that it's not supported. – Cobra Kai Dojo Feb 15 '21 at 17:31
  • weird but there is sample that suggests it does , but it doesn't https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html. Reference for services which support tags: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html – Sumit Murari Jul 05 '22 at 09:51

1 Answers1

0

I think IAM policy not able to limitation ssh access. I'm not sure but I haven't hear anyone IAM policy for limitation SSH. I think it's must be setup into your EC2 instance.

iam.awslagi
  • 1