Sure. Here's a simple example, where I've given the user access to all ec2 actions except for those I've explicitly denied if a ResourceTag with the key "MyTag" and value "MyTagValue" exist.
Denied actions:
Example:
{
"Statement": [
{
"Action": [
"ec2:PurchaseReservedInstancesOffering",
"ec2:RequestSpotInstances",
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/MyTag": "MyTagValue"
}
}
},
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
Here's proof of the results from the IAM Policy Simulator:
Those actions are allowed when that tag doesn't exist, is some other value, etc.
Also, the ec2 allow action "Action": "ec2:*"
was for sake of example... you can remove that whole block or use it as a template to begin allowing only a specific set of EC2 actions to your users.