Reputation: 1456
I have an iam policy that denies ec2 runinstance if it doesn't also include 4 required tags.
Our model is user > group > STS Assume Roles. All EC2 provisioning is done by a number of roles.
Do I have to manually attach this policy to each role, or does AWS support a global policy feature? What's the easiest way to deploy this iam policy to be global across all our accounts?
Upvotes: 2
Views: 895
Reputation: 9353
Use AWS Organisations.
'My Organization' is an option on the account drop down within the console. From there it is straightforward to add a global policy. Add your JSON template to deny access to the EC2:RunInstances permission with conditions on the ec2:ResourceTag.
The Deny policy will take precedence over any allow policies you specify in the account roles.
Upvotes: 4