Level 300: IAM Tag Based Access Control for EC2


This hands-on lab will guide you through the steps to configure example AWS Identity and Access Management (IAM) policies, and a AWS IAM role with associated permissions to use EC2 resource tags for access control. Using tags is powerful as it helps you scale your permission management, however you need to be careful about the management of the tags which you will learn in this lab. In this lab you will create a series of policies attached to a role that can be assumed by an individual such as an EC2 administrator. This allows the EC2 administrator to create tags when creating resources only if they match the requirements, and control which existing resources and values they can tag.

The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework.


  • IAM least privilege
  • IAM policy conditions


  • An AWS account that you are able to use for testing, that is not used for production or other purposes.
  • An IAM user with MFA enabled that can assume roles in your AWS account. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.


References & useful resources

AWS Identity and Access Management User Guide IAM Best Practices and Use Cases Become an IAM Policy Master in 60 Minutes or Less Actions, Resources, and Condition Keys for Identity And Access Management