So I wanted to create a security group but only if it has a certain tag. I'm just getting unauthorized errors. It works if you remove the condition and just allow all resources actions but that's to be expected. Here is what I have noticed with regards to the ec2:CreateSecurityGroup.
The security group action has two resources associated with it.
- security-group/*
- vpc/*
Now looking at the documentation aws has the condition for Requesttag is only allowed with the security-group resource not with the vpc resource. With that in mind I went about it the same way I went about other actions within ec2 where I would allow the action with the resource and then make a notresource right below it to allow all the other resources within the action to run. This has worked on all other ec2 actions except the securitygroup one. When I looked at my decode message I see the tag was not in the message. If I run it without the condition it works and I do see the tag there.
policy example: I did remove everything but the securitygroup stuff
{
"Sid": "SG",
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Project": "test"
}
}
},
{
"Sid": "NontaggingallowSG",
"Action": "ec2:CreateSecurityGroup"
"Effect": "Allow",
"NotResource": "arn:aws:ec2:*:*:security-group/*",
}
decode message:
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"<id>:AWSCloudFormation\",
\"arn\":\"arn:aws:sts::<aws-id>:assumed-role/<Role>/AWSCloudFormation\"},\"action\":\"CreateSecurityGroup\",
\"resource\":\"arn:aws:ec2:<aws-region>:<aws-id>:security-group/*\",\"conditions\":{\"items\":[
{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"<aws-region>\"}]}},
{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},
{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"security-group/*\"}]}},
{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"security-group\"}]}},
{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"<aws-id>\"}]}},
{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:<aws-region>:<aws-id>:security-group/*\"}]}},
{\"key\":\"ec2:SecurityGroupID\",\"values\":{\"items\":[{\"value\":\"*\"}]}}]}}}"
}
aws documentation: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions
similar question asked here: ec2:securitygroup tagging
AWS Response:
During investigation I reached out to CloudFormation team for clarification on how CloudFormation handles the creation of Security Groups with tags, and was informed that in your case the Security Group is created first, and then Tags are applied. Because tags are not applied at the time of creation, the resource fails when checking IAM policies that require specific tags. This is an issue with CloudFormation service, on how it behaves.
And Hence you are correct to assume that cloudformation tries to create the security group before creating the tag or checking for a tag.
Additionally, I was confirmed by AWS CloudFormation team that this is known issue and provided existing internal feature request to change the behavior of CloudFormation so that it tags Security Groups at the time of resource creation. Kindly note that AWS take customer’s feedback very seriously, as this allows AWS to better prioritize new features/improvements down the road.
Please be assured that I will perform my due diligence in ensuring that your case is used as supporting evidence to invent this feature in the hopes of better prioritizing. Unfortunately, I won’t be able to provide you with an ETA on when this feature might be released as I have no visibility over that process and this will be completely handled by our CloudFormation service team. However, all of our new announcements and Feature Enhancements can be found in our What’s New page - https://aws.amazon.com/new and hence I would request you to please keep an eye on this page.