Give an instance only access to tag itself?

Question

Looking at this post this guy used a policy (applied to a role) to let an instance tag itself.

I want EXACTLY the same thing. I could use this policy, but it would be nice if the instance could only tag itself and not other instances.

I can't use ${ec2:SourceInstanceARN} as the resource so I'm trying to use a condition that matches the arn that policy variable evaluates to.

This policy won't validate: (Syntax errors in policy )

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeTags",
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Condition": {
                "ArnEquals": {
                    "ec2:SourceInstanceARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

Answer 1

For ec2 self-action only policy, you can go off of this. We utilize it for hosts to only be able to self-terminate, self tag, etc.

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SelfTaggingOnly",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

I wrote a small powershell test validation to confirm. It attempts to self-tag, remove the tag, then attempts to tag a host that exists strictly for validating the attempts of ec2 actions outside the realm of "self". In the output of my validation below, the first run utilizes the policy above, for the second run I removed the condition.

With the above policy in place:

Create Tags for self: PASS!
Remove Tags from self: PASS!
Unable to modify another instance's tags: PASS!
You are not authorized to perform this operation. Encoded authorization failure message: b9KG8BIyxQs~truncated_encoded_output~

Removed the condition:

Create Tags for self: PASS!
Remove Tags from self: PASS!
Validation falure! I am able to modify other instance's tags!

Answer 2

You can not limit the DescribeTags call to the instance itself using"ec2:SourceInstanceARN":

On https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html#amazonec2-policy-keys the DescribeTags does not show any Resource to limit, so I'll bet that you can not restrict that API call to any resource.