EC2 IAM策略要求标签 [英] EC2 IAM policy to require tags

问题描述

AWS刚刚发布了对EC2 / EBS的必需标签支持：
新建–标记EC2实例& EBS Volumes on Creation 。

AWS just released required tag support for EC2/EBS: New – Tag EC2 Instances & EBS Volumes on Creation.

但是，给出的示例仅检查标签是否具有固定值，这对我们没有用，因为我们的用户可以免费输入所需标签的表单值。

However, the example given only checks if tags have a fixed value which isn't useful to us because our users can enter free form values for required tags. How can a policy be written to check tags are present?

例如，我们需要这样的东西：

For example, we need something like this:

"Statement": [
    {
      "Sid": "DenyMissingTags",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
      "Condition": {
        "StringExists": [
          "aws:RequestTag/costcenter",
          "aws:RequestTag/stack",
         ]
       }
     }
]

很明显，我组成了 StringExists

推荐答案

AWS支持提供了我确认可以使用的解决方案。需要两个单独的条件块来确保只有1个标记存在时才拒绝操作：

AWS support provided a solution I confirmed to work. Two separate condition blocks are needed to ensure the action is denied when only 1 tag is present:

{
    "Sid": "AllowLaunchOnlyWithRequiredTags1",
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
    "Condition": {
        "Null": {"aws:RequestTag/costcenter": "true"}
    }
},
{
    "Sid": "AllowLaunchOnlyWithRequiredTags2",
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
    "Condition": {
        "Null": {"aws:RequestTag/stack": "true"}
    }
}

这篇关于EC2 IAM策略要求标签的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！