Skip to content

Enhance IAM Policy for Least Privilege by Restricting Tag Operations (Security-Focused Enhancement) #630

New issue
New issue
Open
Open
Enhance IAM Policy for Least Privilege by Restricting Tag Operations (Security-Focused Enhancement)#630
Labels
enhancement
@nirajguru

Description

@nirajguru
nirajguru
opened on Dec 8, 2025

Enhance IAM Policy for Least Privilege by Restricting Tag Operations (Security-Focused Enhancement)

Description

The current CloudFormation stack for Instance Scheduler on AWS grants the following permissions to cross account IAM role:

{
  "Action": [
    "ec2:StartInstances",
    "ec2:StopInstances",
    "ec2:CreateTags",
    "ec2:DeleteTags",
    "ec2:ModifyInstanceAttribute"
  ],
  "Effect": "Allow",
  "Resource": {
    "Fn::Sub": "arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*"
  }
}

This policy allows unrestricted tag creation and deletion on EC2 instances, which raises security concerns because it enables modification of any tag key/value.

Proposed Change

Split the permissions into two statements:

1. Instance Control Permissions

{
  "Action": [
    "ec2:StartInstances",
    "ec2:StopInstances",
    "ec2:ModifyInstanceAttribute"
  ],
  "Effect": "Allow",
  "Resource": {
    "Fn::Sub": "arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*"
  }
}

2. Restricted Tagging Permissions

{
  "Action": [
    "ec2:CreateTags",
    "ec2:DeleteTags"
  ],
  "Effect": "Allow",
  "Resource": {
    "Fn::Sub": "arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*"
  },
  "Condition": {
    "ForAllValues:StringEquals": {
      "aws:TagKeys": [
        "InstanceScheduler-LastAction"
      ]
    },
    "Null": {
      "aws:TagKeys": "false"
    }
  }
}

The same IAM policy changes should be applied to Amazon RDS and Auto Scaling Groups (ASG) resources.

Rationale

  • Implements least privilege by restricting tag operations to the key InstanceScheduler-LastAction.
  • Prevents accidental or malicious modification of unrelated tags.
  • Aligns with AWS security best practices.

Impact

  • No functional impact on the scheduler logic since it only uses the InstanceScheduler-LastAction tag.
  • Improves security posture by reducing unnecessary permissions.

Security Note

This is a security-focused enhancement. While not an active exploit, unrestricted tag permissions can lead to privilege escalation or resource mismanagement if abused. Limiting tag operations to a specific key mitigates this risk.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions