Error in IAM custom policy to restrict a user on the basis of tag

Question

I have created a custom IAM policy to restrict a user access on the basis of tags like if the Resource tag Name has any value Test then the user can start stop reboot the instance.

Here is my policy :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsDontSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": ["ec2:Describe*"],
            "Resource": "*"
        },
        {
            "Sid": "TheseActionsSupportResourceLevelPermissionsWithTags",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:acct_no:instance/*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "ec2:ResourceTag/Name": "Test"
                }
            }
        }
    ]
}

But when I apply the policy the user can't perform the specified actions.

Kindly help.

Thanks

Answer 1

ForAnyValue is an inappropriate condition for your Amazon IAM use case, insofar it is only applicable for sets (see Creating a Condition That Tests Multiple Key Values (Set Operations) for details) - simply dropping the ForAnyValue: prefix should yield a working policy, see e.g. the examples in Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances",      
        "ec2:RebootInstances",
        "ec2:TerminateInstances"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/critical":"true"
        }
      },
      "Resource": [
        "arn:aws:ec2:your_region:your_account_ID:instance/*"
      ],
      "Effect": "Allow"
    }
  ]
}