Rick Venuto
Reputation: 39
Enforce tag creation for EC2
I have been trying to create a policy that will not allow an ec2 instance to be created unless it has a Project tag. Here is what I have now and all I get is ec2:RunInstances You are not authorized to perform this operation even with I have the tag Project.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RunCloudFormation",
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": [
"*"
]
},
{
"Sid": "CreateEC2Instances",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": "*"
},
{
"Sid": "LaunchingEC2withAMIsAndTags",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"aws:RequestTag/Project": "?*"
}
}
}
]
}
Here is a snippet of my CloudFormation template:
"KeyName": {
"Ref": "KeyName"
},
"Tags": [
{
"Key": "Project",
"Value": "test"
},
{
"Key": "OwnerAdmin",
"Value": "myname"
},
{
"Key": "Name",
"Value": "TESTTags"
}
],
Upvotes: 1
Views: 379
Answers (1)
Castrohenge
Reputation: 8993
I managed to get the policy simulator to allow the RunInstances action by changing
"Resource": "arn:aws:ec2:*:*:instance/*"
to
"Resource": "*",
You only need to use the resource level permissions if you want to constrain resources used by the instance, such as AMI, subnet, security group, etc.
Upvotes: 1
Related Questions
- Enforce tag policy for all services in aws
- Enforce tagging in ec2
- Give an instance only access to tag itself?
- IAM policy to restrict EC2 access based on tag
- I am unable to enforce tagging for ec2 instances. what am I missing
- Is it possible to create an AWS IAM policy for automatic resource tagging?
- How do I make it a requirement for instances to have specific tags?
- Using tags prefixed with aws: in IAM policies
- EC2 IAM policy to require tags
- AWS IAM Policy: Tag only untagged resources