Reputation: 77
How do you set default tags when creating an EC2 instance?
I'm trying to fine a way to add default tags when someone on the account tries to create an EC2 instance. Right now I have set rules which only monitors if the tags have been created.
I need something that when an instance is created they must fill in the tag and then can go on to launch the instance. Is this possible? If so how?
I have searched online and there hasn't been anything which does exactly what I want.
I had a look at: https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/
I then made a policy (below) but it still didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateTaggedVolumes",
"Effect": "Allow",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Name": "",
"aws:RequestTag/Owner": "",
"aws:RequestTag/Project": "",
"aws:RequestTag/Schedule": ""
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Name",
"Owner",
"Project",
"Schedule"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateVolume"
}
}
}
]
}
Upvotes: 3
Views: 1753
Answers (2)
Reputation: 600
I have simulated the same scenario using the below policy cod where The following example policy allows a user to launch an EC2 instance and create an EBS volume only if the user applies all the tags that are defined in the policy using the qualifier ForAllValues (Key1 & Key2). If the user applies any tag that is not included in the policy, the action is denied. T
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToDescribeAll",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/key1": "value1",
"aws:RequestTag/key2": "value2"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"key1",
"key2"
]
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
Added Storage
No Tags Added
Failed to Launch without Tags
Required Tags Added
Launch Started with Tag Value
Upvotes: 2
Reputation:
You could look at setting up AWS Config to do this for you, here is the link to the Config page which highlights a rule that actually might work for you:
https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html
This page shows you the resources that are supported and this rule is an AWS managed one which means it should work with a simple config and click of a button.
Upvotes: 0
Related Questions
- Set a tag to EC2 instance using JAVA
- Mandatory tagging when launching EC2 instance
- How to make EC2 "inherit" tags from AMI
- aws ec2 run-instances and specifying tags
- How can I set tags on ec2 instances created by elastic-beanstalk
- I am unable to enforce tagging for ec2 instances. what am I missing
- Enforce tag creation for EC2
- AWS EC2: Add a tag when launching an instance using CLI
- EC2 IAM policy to require tags
- Deterministically creating and tagging EC2 instances