I'm trying to write a IAM policy to ensure that a resource (a security group in the example) can't be created unless it is tagged with a specific tag with a specific value.
Here is my policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "a_value"
}
}
}
]
}
Here is the relevant part in the web console:
When i click on "create security group" I get this error:
Here the decoded error:
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "<redacted>",
"name": "<redacted>",
"arn": "<redacted>"
},
"action": "ec2:CreateSecurityGroup",
"resource": "<redacted>",
"conditions": {
"items": [
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "eu-west-1"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "<redacted>"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "vpc"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "<redacted>"
}
]
}
},
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:VpcID",
"values": {
"items": [
{
"value": "<redacted>"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "eu-west-1"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "<redacted>"
}
]
}
}
]
}
}
}
If I remove the Condition block, it works. Any Idea?
EDIT Here what I have on cloudtrail:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "<redacted>",
"arn": "<redacted>",
"accountId": "<redacted>",
"accessKeyId": "<redacted>",
"userName": "<redacted>",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-03-29T08:48:59Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-03-29T15:49:45Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateSecurityGroup",
"awsRegion": "eu-west-1",
"sourceIPAddress": "<redacted>",
"userAgent": "AWS Internal",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation. Encoded authorization failure message: br3mkxwSe4g18HaPPrDGj_GbkhVzwkrOCNyUN8lcZ9psjAPxwYke-uBJD5HFjFZ4nZ0Yv84SFHezTDAiKQe3NnuGODXIvxilxmzSMDKFgsKM4VymOTu-2MobyTpUekHZhR0UK2uOw_GmW5ihIjUH3Nm_kVPVZ-n5_16KkZk2xeJwAZ_Ra5bhnBbCJm2Xaa_mrqZP5cL_il2PsSNvMep_fFyJeD7MjpzA9T3bpVmOdjoHR9bjMvOJHB2IpgeXnFiJlgTvHwQYYoJtsl-wcFKI8Ra9yz5kgpzXIlvWbmxyZPLj0L8r0cd4qyrBesKd6IdFABJR01FEdp0WOF0Er-UdCYwDabKTH-VrbBnQOcehMOQNTNYsv-rVHBOfjkd5U_ccgCBKj5NkT3Sc0uDYYw9yBLoaVOS830LSvVMEVFIzQ_3eunVU44ktsYnveP5PLgiIYZ_skQHx5Y9kAtkAo-dnCsumXW1P32XqDc9gaETxHNG13MOGo5Hu8F0mYeJH_tY0MYq5iW54pDCfW0CywZvfVRgfbIK9tURhz6JkJBA2p7rR0jU",
"requestParameters": {
"groupName": "whatever_name",
"groupDescription": "whatever_description",
"vpcId": "<redacted>",
"tagSpecificationSet": {
"items": [
{
"resourceType": "security-group",
"tags": [
{
"key": "CreatedBy",
"value": "a_value"
}
]
}
]
}
},
"responseElements": null,
"requestID": "<redacted>",
"eventID": "<redacted>",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "<redacted>",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
