February 7, 2021
Attribute Based Access Control
AWS has provided the ability to implement fine-grained access control using attributes (such as ResourceTags) for serveral years now.
Recently I had the need to provide access to certain EC2 instances and was really hoping that I didn’t have to list all EC2 instances for attribute access to work.
Unfortunately after a lot of trial and error I couldn’t make it work, and ended up with the following policy, deployed via Control Tower/SSO using a permission set against the specific account where the EC2 instances are running.
Read more