CODEWITHSUNDEEP
amazon-web-servicestagsamazon-iam
jjones150
jjones150

Reputation: 302

I am unable to enforce tagging for ec2 instances. what am I missing

I am attempting to force users to tag ec2 instances upon creation. I have set up a test account and have attached a policy that should require them to tag an ec2 instance when they create one. When I log into the test account using a cognito window and attempt to create an ec2 instance, I am NOT required to tag the instance.

I have diligently through the stack Overflow Forums and via online searching in general. The answers I have come across all make sense but simply do not work.

The below IAM policy is what I have been working with. I have been modifying and experimenting to no avail.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*:123456789:subnet/*",
                "arn:aws:ec2:*:123456789:network-interface/*",
                "arn:aws:ec2:*:123456789:security-group/*",
                "arn:aws:ec2:*:123456789:key-pair/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:123456789:volume/*",
                "arn:aws:ec2:*:123456789:instance/*"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "environment",
                        "webserver"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:123456789:*/*",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}

I don't get any error messages. When creating the ec2 instance with the test user account, I am simply allowed to proceed.

Any thoughts would be greatly appreciated.

Upvotes: 0

Views: 704

Answers (1)

Sébastien Stormacq
Sébastien Stormacq

Reputation: 14915

[UPDATED]

I confirm your policy is not working. (all commands were run on eu-west-1) 

$ aws ec2 run-instances --image-id ami-0bbc25e23a7640b9b --instance-type t3.micro

{
    "Groups": [],
    "Instances": [
        {
            "AmiLaunchIndex": 0,
            "ImageId": "ami-0bbc25e23a7640b9b",
            "InstanceId": "i-0f695dcb8044ef708",
...

I switched to this policy copy pasted from our blog (the only difference I can see is that there is no account ID explicitly mentioned) 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowToDescribeAll",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*"
            ]
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "key1"
                    ]
                }
            }
        },
        {
            "Sid": "AllowCreateTagsOnlyLaunching",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}

Then I tried to start an instances without tags 

$ aws --profile test ec2 run-instances --image-id ami-0bbc25e23a7640b9b --instance-type t3.micro

or just tagging the instance, not the volume

$ aws --profile test ec2 run-instances --image-id ami-0bbc25e23a7640b9b --instance-type t3.micro --tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=production}]'

and both calls failed.

An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation.

Then I tried with both tag (any value)

$ aws --profile test ec2 run-instances --image-id ami-0bbc25e23a7640b9b --instance-type t3.micro --tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=value1}]' 'ResourceType=volume,Tags=[{Key=key1,Value=value1}]'

and it worked !

{
    "Groups": [],
    "Instances": [
        {
            "AmiLaunchIndex": 0,
            "ImageId": "ami-0bbc25e23a7640b9b",
            "InstanceId": "i-04aa7bd64b5f2ed22",
...

Upvotes: 1

Related Questions