EC2 IAM策略要求标签 [英] EC2 IAM policy to require tags
问题描述
AWS刚刚发布了对EC2 / EBS的必需标签支持:
新建–标记EC2实例& EBS Volumes on Creation 。
AWS just released required tag support for EC2/EBS: New – Tag EC2 Instances & EBS Volumes on Creation.
但是,给出的示例仅检查标签是否具有固定值,这对我们没有用,因为我们的用户可以免费输入所需标签的表单值。
However, the example given only checks if tags have a fixed value which isn't useful to us because our users can enter free form values for required tags. How can a policy be written to check tags are present?
例如,我们需要这样的东西:
For example, we need something like this:
"Statement": [
{
"Sid": "DenyMissingTags",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"StringExists": [
"aws:RequestTag/costcenter",
"aws:RequestTag/stack",
]
}
}
]
很明显,我组成了 StringExists
推荐答案
AWS支持提供了我确认可以使用的解决方案。需要两个单独的条件块来确保只有1个标记存在时才拒绝操作:
AWS support provided a solution I confirmed to work. Two separate condition blocks are needed to ensure the action is denied when only 1 tag is present:
{
"Sid": "AllowLaunchOnlyWithRequiredTags1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"Null": {"aws:RequestTag/costcenter": "true"}
}
},
{
"Sid": "AllowLaunchOnlyWithRequiredTags2",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"Null": {"aws:RequestTag/stack": "true"}
}
}
这篇关于EC2 IAM策略要求标签的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!