问题
Is there a way to enforce tagging while creating EC2-Instances? I,e user cannot launch an instance without certain tags. And can I use that tags to give control to particular instance depending on the tag?
回答1:
Yes, you have to use the "ec2:CreateAction" condition to limit the tag creating while creating the resource (instance/volume) and "aws:RequestTag" condition to control which tag key-value is required to create the resource.
There are example policies here and for more information, please refer the blog.
回答2:
You can achieve this using Amazon Config.
Select Rules -> Add Rule -> required tag
You won't prevent someone from creating an instance without a tag, but you will be able to see it flagged in the Config dashboard, or you can trigger a SNS action to notify you via email.
回答3:
I had a similar use case while I was working for a customer. The answer is yes you can !
You can enforce users to apply specific tags with IAM Policies.
For example you can attach a policy to a user/role (preferably role) that denies the ec2:RunInstances action with a condition that checks if a tag Key and Value are not what you are expecting. It can be a bit confusing as this policy uses double negation, Deny and StringNotLike but I believe its easier to enforce tagging that way as you can add this policy to a role that has the Administrator policy and still work.
{
"Sid": "ConditionalEC2creationName",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Name": "*"
}
}
},
{
"Sid": "ConditionalEC2creationEnv",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Env": "*"
}
}
}
Unfortunately i couldn't make it work in a single block because I didn't have time to optimise it. I think it has to do with ForAllValues, ForAnyValue.
ForAllValues – The condition returns true if there's a match between every one of the specified key values in the request and at least one value in the policy. It also returns true if there is no matching key in the request, or if the key values resolve to an empty data set, such as an empty string.
ForAnyValue – The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or an empty data set, the condition returns false.
来源:https://stackoverflow.com/questions/48426761/aws-iam-policy-to-enforce-tagging