To control user access to EC2 instances via AWS Systems Manager Session Manager based on tags, a two-step IAM configuration is required. First, an IAM policy must be created that explicitly grants the ssm:StartSession permission. This policy must include a Condition element that restricts the permission to only those EC2 instances matching a specific tag key and value. Second, this newly created IAM policy must be attached to the IAM users or groups that require this specific level of access. This combination ensures that only authorized users can initiate sessions and only on the intended, tagged instances.

B. An IAM role is attached to an EC2 instance to grant the instance permissions to other AWS services, not to control user access to the instance.

C. Placement groups are used to influence the physical placement of EC2 instances for performance or fault tolerance, not for managing access control.

D. "Service account" is not the standard AWS term for this context; the equivalent is an IAM role, which, as explained for option B, is incorrect for this use case.

1. AWS Systems Manager User Guide: Under "Limiting access to sessions using IAM policies

" the documentation states

"You can provide users with access to start sessions on managed nodes and limit that access based on tags that have been applied to the nodes... After you create an IAM policy... you can attach the policy to an IAM user

group

or role." This supports both creating a conditional policy (E) and attaching it to a principal (A).

Source: AWS Systems Manager User Guide

Section: "Limiting access to sessions using IAM policies".

2. AWS Identity and Access Management User Guide: This guide details how to use Condition elements in IAM policies to control access based on tags. It provides the syntax and logic for using condition keys like aws:ResourceTag to match tags on a resource. The example policy for Session Manager uses a condition key ssm:resourceTag/tag-key to achieve this.

Source: AWS Identity and Access Management User Guide

Section: "Controlling access to AWS resources using tags".

3. AWS Systems Manager User Guide: The documentation provides a specific example of an IAM policy that grants permission to start a session on any instance tagged with Finance for the Department key. This policy must then be attached to an IAM principal (user or group).

Source: AWS Systems Manager User Guide

Section: "Example 3: Limiting access to managed nodes based on tags".