对 AWS 资源实施标记 [英] Enforce tagging for AWS resources

问题描述

我了解我们可以通过引入 IAM 策略(例如针对 EC2)对 AWS 上的资源实施标记，

I understand that we can enforce tagging on resources on AWS by introducing IAM policies, for example for EC2,

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "DenyCreateInstanceWithoutApplicationIDtag",
        "Effect": "Deny",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:*:*:instance/*"
        ],
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/ApplicationID": "*"
            }
        }
    }
  ]
}

我正在尝试对其他资源(例如路由表、VPC 附件等)实施相同的策略.

I am trying to enforce the same policies to other resources such as route table, VPC attachment and so on.

我发现下面的方法不起作用:

I found out that below does not work:

 {
        "Sid": "DenyCreateRouteTableWithoutApplicationIDtag",
        "Effect": "Deny",
        "Action": "ec2:CreateRouteTable",
        "Resource": [
            "arn:aws:ec2:*:*:routetable/*"
        ],
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/ApplicationID": "*"
            }
        }
    }

有人知道为什么会这样吗?有没有更好的方法来对所有可标记资源实施标记，而不是为每种资源类型编写 IAM 政策?

Will anyone know why this is the case? Is there a better way to enforce tagging on all taggable resources, instead of writing IAM policy per resource type?

推荐答案

看起来 ec2:CreateRoutetable 操作针对的是 VPC 资源，而不是路由表资源(这是您当前在 ec2:CreateRoutetable代码>资源条目).

It looks like the ec2:CreateRoutetable action targets VPC resources, not Route Table resources (which is what you currently have in your Resource entry).

尝试更改您的 Resource 块以包含 arn:aws:ec2:*:*:vpc/*(即所有区域的所有 VPC).

Try changing your Resource block to include arn:aws:ec2:*:*:vpc/* (i.e. all VPCs in all regions).

您可以在 文档.

这篇关于对 AWS 资源实施标记的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！