CODEWITHSUNDEEP
amazon-web-servicesamazon-iam
Benjamine Sahayanathan
Benjamine Sahayanathan

Reputation: 29

Enforce tag policy for all services in aws

I need a AWS IAM policy to enforce Tagging for all the services. (Not One By One). Is that possible?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyCreateSecretWithNoProjectTag",
      "Effect": "Deny",
      "Action": "secretsmanager:CreateSecret",
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Project": "true"
        }
      }
    },
    {
      "Sid": "DenyRunInstanceWithNoProjectTag",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Project": "true"
        }
      }
    },
    {
      "Sid": "DenyCreateSecretWithNoCostCenterTag",
      "Effect": "Deny",
      "Action": "secretsmanager:CreateSecret",
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/CostCenter": "true"
        }
      }
    },
    {
      "Sid": "DenyRunInstanceWithNoCostCenterTag",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/CostCenter": "true"
        }
      }
    }
  ]
}

This is from AWS Documentation. I need all aws services together.

Upvotes: 1

Views: 1765

Answers (3)

vedat
vedat

Reputation: 1309

it is not possible.

first you cannot use "*" for resources. e.g EC2 creates EBS volumes, ENIs ... and some cannot be tagged so you won't be able to spin up an instance

second not all AWS services creates the tags during resource creation. e.g S3 won't send the tags while for the createBucket request

third some AWS services uses requestTag some use awsTags during resource creation.

So, you need to go service by service and test those services one by one :( then you will hit SCP size limit (5120 byte)....

Upvotes: 0

Marcin
Marcin

Reputation: 238051

There is no way to enforce tagging for all possible resources up front. I recommend reading AWS white paper:

Even with AWS Organization and TagPolicies you can't fully enforce tags since:

Enforcement has no effect on resources that are created without tags.

Also with AWS Organization's TagPolicies only some resources are supported, not all resources available in AWS.

The white paper recommends using CloudFormation and Service Catalog to proactively tag resources.

Upvotes: 1

Chris Williams
Chris Williams

Reputation: 35146

If the account is part of an Organisation it can be enforced through tagging policies: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html.

If not you can use the AWS config rule of required tags: https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html

Upvotes: 0

Related Questions