Is there a way to enforce tagging while creating EC2-Instances? I,e user cannot launch an instance without certain tags. And can I use that tags to give control to particular instance depending on the tag?
AWS IAM Policy to Enforce Tagging
Asked Answered
I had a similar use case while I was working for a customer. The answer is yes you can !
You can enforce users to apply specific tags with IAM Policies.
For example you can attach a policy to a user/role (preferably role) that denies the ec2:RunInstances action with a condition that checks if a tag Key and Value are not what you are expecting. It can be a bit confusing as this policy uses double negation, Deny and StringNotLike but I believe its easier to enforce tagging that way as you can add this policy to a role that has the Administrator policy and still work.
{
"Sid": "ConditionalEC2creationName",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Name": "*"
}
}
},
{
"Sid": "ConditionalEC2creationEnv",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Env": "*"
}
}
}
Unfortunately i couldn't make it work in a single block because I didn't have time to optimise it. I think it has to do with ForAllValues, ForAnyValue.
ForAllValues – The condition returns true if there's a match between every one of the specified key values in the request and at least one value in the policy. It also returns true if there is no matching key in the request, or if the key values resolve to an empty data set, such as an empty string.
ForAnyValue – The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or an empty data set, the condition returns false.
Thank you this is exactly what I was looking for. However, I have 2 questions, why can't I just include all the tags in one StringNotLike statement? When I tested the policy, I found that I can have tag "Env" or "env" and it will still go through, how can I make the capitalization compulsory? –
Gracious
you can create a tagging policy for the organizazation menu in the AWS console. There you can set the format of your required tags. After that if you create an instance with a tag key "env" where the tagging policy states that the tag is "Env", then it will fail with an appropriate message. docs.aws.amazon.com/organizations/latest/userguide/… –
Exodontist
You can achieve this using Amazon Config.
Select Rules -> Add Rule -> required tag
You won't prevent someone from creating an instance without a tag, but you will be able to see it flagged in the Config dashboard, or you can trigger a SNS action to notify you via email.
You can do it through IAM. –
Ind
Yes, you have to use the "ec2:CreateAction" condition to limit the tag creating while creating the resource (instance/volume) and "aws:RequestTag" condition to control which tag key-value is required to create the resource.
There are example policies here and for more information, please refer the blog.
Yes, it is very much possible for EC2 Creation with an option to choose from the tag values, Give it a try
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Env": [
"Dev",
"Prod"
]
}
}
}
]
}
© 2022 - 2024 — McMap. All rights reserved.
Conditionparameter. – Ind