TAG YOU‘RE IT

TAG YOU’RE IT

Challenge Details
Output Properties
Feedback
Overview
You’re the IAM Administrator and your job is to separate the actions that two Project Teams, Green and Red, can take on EC2 Instances in an AWS Account. To successfully complete this challenge, you will need to craft an IAM Policy Document that separates the permissions of the two Roles: ProjectGreenRole and ProjectRedRole so that the ProjectGreenRole can Run, Stop and Start EC2 Instances tagged with Project = Green and ProjectRedRole can do the same with EC2 Instances tagged with Project = Red. You must also ensure that these Roles can’t change tags on EC2 instances after launch.

Possible Points: 200 Clue Penalty: 0 Points Earned: 200
Enter answer here
Completed!
Background
You are the IAM Administrator for your AWS Accounts. You have two Projects: Red and Green that are launching and managing EC2 Instances in the same AWS Account.

Your AWS Account has the following resources:

Two IAM Roles:
ProjectRedRole tagged with Project = Red
ProjectGreeRole tagged with Project = Green
Two EC2 Instances:
Red instance tagged with Project = Red
Green instance tagged with Project = Green
A Managed Policy: ‘ManageEC2InstancesWithProjectTag’ that is attached to the ProjectRedRole and ProjectGreenRole. This is overly permissive to start with and does not have any IAM Conditions for the Actions.
Requirements
Your job is to edit this policy document to meet the following three requirements:

Restrict EC2 StartInstances & StopInstances actions to EC2 Instances with Project tag values corresponding to the Roles ProjectGreenRole and ProjectRedRole.
Allow EC2 RunInstances only if the EC2 Instances and Volumes are tagged on creation with Project tag values corresponding to the Roles ProjectGreenRole and ProjectRedRole. Ensure that the only tag key allowed on creation is ‘Project’ with an exact case match.
Ensure that tags cannot be changed on EC2 Instances and Volumes after creation.
Hint: it may help to save a copy of the original policy document before you make changes so you can always go back and start over.

Getting Test Results
After saving changes to the Managed Policy wait 20 seconds and browse to or refresh the VerifierUri from the Output Properties. This page displays results of test cases for the above requirements (green means the test passed, red means the test failed). When all tests pass you’ll get the Challenge Answer at the bottom of the same page.

Helpful Links
Here are a few links to help you with the challenge:

Actions, Resources and Condition Keys for Amazon EC2
AWS Global Condition Context Keys
Example IAM Policies for EC2 RunInstances with Tags

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "01AllowStopStartWithProjectTag",
      "Effect": "Allow",
      "Action": [
        "ec2:StopInstances",
        "ec2:StartInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
        }
      }
    },
    {
      "Sid": "AllowRunInstancesResourcesNoTags",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*::image/*",
        "arn:aws:ec2:*:*:subnet/*",
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:key-pair/*"
      ]
    },
    {
      "Sid": "02AllowRunInstancesWithProjectTag",
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Project": "${aws:PrincipalTag/Project}"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "Project"
          ]
        }
      }
    },
    {
      "Sid": "03AllowCreateTagsOnRunInstances",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": [
            "RunInstances"
          ]
        }
      }
    }
  ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

anwser:AttributeBasedAccessControl