问题
Can we enforce tagging in AWS while creating a resource so that the resource will not be created unless a tag is given manually to the resource while creating?
回答1:
Short Answer: Cannot enforce through policies for All resources.
There are many resources which support tagging in AWS.
But only if you use CLI/API tags are widely supported during creation time. eg: RDS creation from API/CLI you can specify tags during creation. But from console, you can only add tags to instance after it is created from Console.
But for EC2 and EBS you can control through policies as specified here
{
"Sid": "AllowLaunchOnlyWithRequiredTags1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"Null": {"aws:RequestTag/dept": "true"}
} }, {
"Sid": "AllowLaunchOnlyWithRequiredTags2",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"Null": {"aws:RequestTag/projectCode": "true"}
} }
The above Condition is not supported by all resources, though they support tags. So, It seems like an inconsistency for now.
来源:https://stackoverflow.com/questions/51637920/enforcing-tagging-for-resources-in-aws