Reputation: 91
Enforce tagging in ec2
Created an IAM policy that should restrict user to now to allow ec2 instance creation when tags value not met
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDescribeAll", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "" }, { "Sid": "AllowRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:::image/", "arn:aws:ec2:::snapshot/", "arn:aws:ec2:::subnet/", "arn:aws:ec2:::network-interface/", "arn:aws:ec2:::security-group/", "arn:aws:ec2:::key-pair/" ] }, { "Sid": "AllowRunInstancesWithRestrictions", "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:::volume/", "arn:aws:ec2:::instance/" ], "Condition": { "StringEquals": { "aws:RequestTag/shutdown": "true", "aws:RequestTag/terminate": "true" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "shutdown", "terminate" ] } } }, { "Sid": "AllowCreateTagsOnlyLaunching", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:::volume/", "arn:aws:ec2:::instance/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }
Upvotes: 1
Views: 730
Answers (2)
Reputation: 569
You may use something like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Application",
"Environment"
]
},
"StringEqualsIfExists": {
"aws:RequestTag/Application": [
"app-01",
"app-02"
],
"aws:RequestTag/Environment": [
"development",
"production"
]
}
}
}
]
}
Upvotes: 0
Reputation: 7407
Please check with the policy simulator at https://policysim.aws.amazon.com/home/index.jsp?#
With the following policy, I'm able to confirm that it works:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToDescribeAll",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/terminate": "true",
"aws:RequestTag/shutdown": "true"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"terminate",
"shutdown"
]
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
Upvotes: 1
Related Questions
- Set a tag to EC2 instance using JAVA
- Mandatory tagging when launching EC2 instance
- How to make EC2 "inherit" tags from AMI
- I am unable to enforce tagging for ec2 instances. what am I missing
- How do I make it a requirement for instances to have specific tags?
- Enforce tag creation for EC2
- How do you set default tags when creating an EC2 instance?
- How to concisely write a policy to control access to Amazon EC2 resources based on tags
- Allow user to manage EC2 by its tags
- EC2 IAM policy to require tags