Two problems with doing this: 1. If you provide an EC2 Role which allows setting...

jen20 · on May 22, 2021

It’s worse than that with respect to (1): any process on _any_ instance which has tag setting permissions can set the tag for _any other_ instance, since conditions don’t support scoping to instance ID.

Re (2) technically you cannot have any roles attached directly, but instead attach an instance profile (the distinction is clearer via the API than the console). The shape of the API for an instance profile clearly was designed to support multiple roles, but in practice is limited to one. It’s typical to create a role with many policies attached for each functional type of instance, so in practice it does’t matter too much.

klohto · on May 22, 2021

1) CreateTags does support scoping using StringEquals with ec2:SourceInstanceARN and comparing that with the aws:arn

  "aws:ARN": "${ec2:SourceInstanceARN}"

It will give you a warning when creating through web console, but the condition works.

jen20 · on May 22, 2021

TIL - thanks for the heads up. Is this a documented substitution?

klohto · on May 22, 2021

I don't think so... I have been trying to find it for a few years now, but it just won't turn up anywhere.

FYI, I personally use resource tags as well on top this, just to limit the scope (in case it magically disappears one day).

paulddraper · on May 23, 2021

> any process on the instance which can access the Instance Metadata Store can record a different SSH fingerprint.

A security issue really only if the process is able to pair it with a MITM attack.

> You can only have EC2 Role attached at once.

Yes, so attach this policy to that IAM role.

klohto · on May 22, 2021

1. You can limit access to IMS to certain processes inside linux 2. Just combine the policies

If you’re worried about malicious processes on the EC2 altering the fingerprint, you got bigger issues. You can also sign the fingerprint with gpg.