Reputation: 516
Can we enforce certain aws tags on CloudFormation stack(level) via Tagging policy?
can we enforce certain tags to be used while deploying the CloudFormation stack such that if someone doesn't provide those tags, they won't be able to deploy the stack in an AWS account?
what I am trying to do is to enforce certain tag patterns. for example, if anyone wants to deploy their stack they have to provide certain tags like
- Project_Name
- Owner
- Stage
and further, is there any way we can enforce this tagging(to CloudFormation tags) at an org level via Tagging policy? so nobody can deploy those stacks if they haven't have those tags on stack level.
what this will does is it will enforce tagging on a stack level rather than resources' level. Since stacks can have multiple resources inside and you don't want to use the same tag under each resource. so we can require certain tags on the stack deployment level.
I do know that we can create a service control policy(SCP) for the AWS organization but can we use a tag policy for this use-case? and is that the right solution to implement this or is there any better way we can do this?
Upvotes: 3
Views: 979
Answers (1)
Reputation: 4077
Yes, you can apply SCP to enforce the inclusion of Tags on creation of CloudFormation Stacks. It is the right approach if you want to restrict it at the account level. If you want to apply specifically to a user or group then SCP it is not suitable. Test with the following SCP. You can add so many conditions as you want:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudformationForceTagProject",
"Effect": "Deny",
"Action": "cloudformation:CreateStack",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project_Name": "true"
}
}
},
{
"Sid": "CloudformationForceTagOwner",
"Effect": "Deny",
"Action": "cloudformation:CreateStack",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Owner": "true"
}
}
},
{
"Sid": "CloudformationForceTagStage",
"Effect": "Deny",
"Action": "cloudformation:CreateStack",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Stage": "true"
}
}
}
]
}
Upvotes: 0
Related Questions
- Enforce tag policy for all services in aws
- Is it possible to just add tags to CloudFormation stack after it is created?
- CloudFormation - Applying tags to other AWS resources
- set stack level tags in a cloudformation template- not in a nested stack
- AWS CloudFormation conditional tagging
- Use Tags of Stack in CloudFormation
- Is there a way to add tags in the cloudformation templates to apply on resources and nested stacks?
- Create a CloudFormation only AWS policy
- Restrict IAM Role to CRUD CloudFormation stacks with specific tags
- Add tags to iam amazon web services