AWS EC2 - Limit an Instance's Access to its Own Tags
Here’s a dynamic way to allow an EC2 instance to modify its own tags, but no other instance’s. Enjoy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:CreateTags", "ec2:DescribeTags"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ARN": "${ec2:SourceInstanceARN}"
}
}
}
]
}