I tried to restrict access to EC2 instance with the following IAM policy:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["ec2:StartInstances","ec2:StopInstances","ec2:TerminateInstances","ec2:RebootInstances"],"Resource": "arn:aws:ec2:*:*:instance/*","Condition": {"StringEquals": {"aws:RequestTag/Purpose": "devops-training"}}},{"Effect": "Allow","Action": ["ec2:RunInstances","ec2:DescribeInstances","ec2:DescribeInstanceStatus","ec2:DescribeImages","ec2:DescribeKeyPairs","ec2:DescribeVpcs","ec2:DescribeSubnets","ec2:CreateSecurityGroup","ec2:DescribeSecurityGroups","ec2:CreateTags","ec2:DescribeTags"],"Resource": "*","Condition": {"StringEquals": {"aws:RequestedRegion": "ap-southeast-2"}}}] }
But I cannot stop or start instances. I cannot find the mistake in the above policy. I can launch a new instance. I added a tag Purpose with value "devops-training". But still I cannot stop/start instances.