对 AWS 资源实施标记 [英] Enforce tagging for AWS resources
问题描述
我了解我们可以通过引入 IAM 策略(例如针对 EC2)对 AWS 上的资源实施标记,
I understand that we can enforce tagging on resources on AWS by introducing IAM policies, for example for EC2,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCreateInstanceWithoutApplicationIDtag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotLike": {
"aws:RequestTag/ApplicationID": "*"
}
}
}
]
}
我正在尝试对其他资源(例如路由表、VPC 附件等)实施相同的策略.
I am trying to enforce the same policies to other resources such as route table, VPC attachment and so on.
我发现下面的方法不起作用:
I found out that below does not work:
{
"Sid": "DenyCreateRouteTableWithoutApplicationIDtag",
"Effect": "Deny",
"Action": "ec2:CreateRouteTable",
"Resource": [
"arn:aws:ec2:*:*:routetable/*"
],
"Condition": {
"StringNotLike": {
"aws:RequestTag/ApplicationID": "*"
}
}
}
有人知道为什么会这样吗?有没有更好的方法来对所有可标记资源实施标记,而不是为每种资源类型编写 IAM 政策?
Will anyone know why this is the case? Is there a better way to enforce tagging on all taggable resources, instead of writing IAM policy per resource type?
推荐答案
看起来 ec2:CreateRoutetable
操作针对的是 VPC 资源,而不是路由表资源(这是您当前在 ec2:CreateRoutetable
代码>资源代码>条目).
It looks like the ec2:CreateRoutetable
action targets VPC resources, not Route Table resources (which is what you currently have in your Resource
entry).
尝试更改您的 Resource
块以包含 arn:aws:ec2:*:*:vpc/*
(即所有区域的所有 VPC).
Try changing your Resource
block to include arn:aws:ec2:*:*:vpc/*
(i.e. all VPCs in all regions).
您可以在 文档.
这篇关于对 AWS 资源实施标记的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!