Attribute Based Access Control

AWS has provided the ability to implement fine-grained access control using attributes (such as ResourceTags) for serveral years now. Recently I had the need to provide access to certain EC2 instances and was really hoping that I didn’t have to list all EC2 instances for attribute access to work. Unfortunately after a lot of trial and error I couldn’t make it work, and ended up with the following policy, deployed via Control Tower/SSO using a permission set against the specific account where the EC2 instances are running. Read more