Do not allow users to create any ec2 instances if missing s tag value

Question

Is there a way I can enforce tags on my ec2 instances. Below is what I am looking :

1. Deny Users if they are missing required tags for Ec2 instances
2. Send email to admin if someone tried to create instances without the required tags.

Thanks in Advance !

Answer 1

1. Deny Users if they are missing required tags for EC2 instances

You should look at the proposed solution given in How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?. It shows how to use a policy to require certain tags:

  "Condition": {
    "ForAllValues:StringEquals": {
      "aws:TagKeys": [
        "key1",
        "key2"
      ]
    }
  }

2. Send email to admin if someone tried to create instances without the required tags.

If you apply 1. then this normally won't happen. Still, you might want to look at the required-tags rule from AWS Config. You can then setup a CloudWatch rule to monitor your Config rule for compliance changes with a SNS topic as a target (you can subscribe an email address to your SNS topic). More info in Monitoring AWS Config with Amazon CloudWatch Events.

Answer 2

jogold mentioned good answers. In addition, another way is to create a lambda function that checks all ec2 instances that has no tags that you require. Then emails you via SNS the ec2 instance that got built.

This does not actually answer question but a good way to check your resources without tags.