强制标记的AWS IAM策略 [英] AWS IAM Policy to Enforce Tagging

问题描述

在创建EC2-实例时是否有一种强制标记的方法?如果没有某些标签，用户将无法启动实例.我可以根据标签使用该标签来控制特定实例吗?

Is there a way to enforce tagging while creating EC2-Instances? I,e user cannot launch an instance without certain tags. And can I use that tags to give control to particular instance depending on the tag?

推荐答案

在为客户工作时，我有一个类似的用例.答案是是可以！

I had a similar use case while I was working for a customer. The answer is yes you can !

您可以强制用户使用IAM策略应用特定的标签.

You can enforce users to apply specific tags with IAM Policies.

例如，您可以将一个拒绝 ec2:RunInstances 操作的策略附加到用户/角色(最好是角色)，条件是检查标签Key和Value是否不符合您的期望.由于此策略使用双重否定 Deny 和 StringNotLike ，因此可能会造成一些混乱，但是我相信这样可以更轻松地实施标记，因为您可以将此策略添加到拥有管理员政策，并且仍然可以使用.

For example you can attach a policy to a user/role (preferably role) that denies the ec2:RunInstances action with a condition that checks if a tag Key and Value are not what you are expecting. It can be a bit confusing as this policy uses double negation, Deny and StringNotLike but I believe its easier to enforce tagging that way as you can add this policy to a role that has the Administrator policy and still work.

    {
        "Sid": "ConditionalEC2creationName",
        "Effect": "Deny",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:*:*:instance/*",
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/Name": "*"
            }
        }
    },
    {
        "Sid": "ConditionalEC2creationEnv",
        "Effect": "Deny",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:*:*:instance/*",
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/Env": "*"
            }
        }
    }

不幸的是，由于我没有时间对其进行优化，因此我无法使其在单个块中正常工作.我认为这与 ForAllValues ， ForAnyValue 有关.

Unfortunately i couldn't make it work in a single block because I didn't have time to optimise it. I think it has to do with ForAllValues, ForAnyValue.

ForAllValues –如果请求中的每个指定键值与策略中的至少一个值匹配，则条件返回true.如果请求中没有匹配的键，或者键值解析为空数据集(例如，空字符串)，则它也会返回true.

ForAllValues – The condition returns true if there's a match between every one of the specified key values in the request and at least one value in the policy. It also returns true if there is no matching key in the request, or if the key values resolve to an empty data set, such as an empty string.

ForAnyValue –如果请求中的任何一个键值与策略中的任何一个条件值匹配，则该条件返回true.如果没有匹配的键或数据集为空，则条件返回false.

ForAnyValue – The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or an empty data set, the condition returns false.

这篇关于强制标记的AWS IAM策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！