IAM Policy - Allow an EC2 Instance To Only Modify its Own Tags

Posted on Wed 26 February 2020 in articles

This policy allows an EC2 instance to modify only its own tags. This is accomplished via the use of the profile variable ec2:SourceInstanceARN.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": ["ec2:CreateTags", "ec2:DescribeTags"],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ARN": "${ec2:SourceInstanceARN}"

Should an EC2 instance modify its own tags? Probably not a good practice most of the time. But when you need it, you really need it, and this gives you some safety around it, especially for when you have outside services using instances’ tags.