How to restrict AWS SSM access by EC2 tag

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-policy-keys

I cant find an answer that clears this up for me

Im looking at this example: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringLike": {
                    "ssm:resourceTag/Finance": [
                        "WebServers"
                    ]
                }
            }
        }
    ]
}

what is the difference between aws:TagKeys, ssm:resourceTag/tag-key, aws:ResourceTag/${TagKey}

what is ssm:resourceTag? is it different than aws:ResourceTag/${TagKey}? Is it a special tag applied by systems manager? i dont use systems manager to apply tags to ec2 instances, I just tag them manually. How do I restrict session manager access to my ec2 instances via tags I have manually applied to them?

Solution 1:

As the document says its EC2 instance tag, and I have tried this, it works, btw maybe you should enable the SSM agent to dig instance information into SSM, where you should able to see instance info such as instance tag within AWS Systems Manager -> Fleet Manager -> Instance ID: XXX.

As I was working to filter use access by instance tags, after enable inventory in SSM then it works.