AWS CDK Policy condition for Tagged ressources

Question

I'm currently creating a AWS stack with CDK. I defined a policy for the user that deploys the stack to have the correct permissions. In CDK I tag my ressources with:

const app = new cdk.App();
const scheme = new MyTemplateStack(app, 'MyTemplateStack');


cdk.Tag.add(scheme, 'Team', 'myTeamName');

I want to use the conditional policy to allow my user to have the permissions to only modify or delete the ressources that are tagged with the correct team:

So here is an example of policy that I need to deploy my stack with the condition:

        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:RevokeSecurityGroupIngress",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Team": "myTeamName"
                }
            }
        }

But when I try to deploy my stack again, I get the following error saying that I'm not authorized:

API: ec2:RevokeSecurityGroupEgress You are not authorized to perform this operation

I've been through the documentation but I don't understand why that doesn't work.

Thanks for helping!

Answer 1

It looks to me that you are allowing ec2:RevokeSecurityGroupIngress , however trying to invoke ec2:RevokeSecurityGroupEgress operation. Could you verify and confirm?