实施标记的 AWS IAM 策略 [英] AWS IAM Policy to Enforce Tagging

问题描述

有没有办法在创建 EC2 实例时强制执行标记?我，用户不能在没有特定标签的情况下启动实例.我可以使用该标签根据标签控制特定实例吗?

Is there a way to enforce tagging while creating EC2-Instances? I,e user cannot launch an instance without certain tags. And can I use that tags to give control to particular instance depending on the tag?

推荐答案

我在为客户工作时遇到了类似的用例.答案是可以！

I had a similar use case while I was working for a customer. The answer is yes you can !

您可以强制用户使用 IAM 策略应用特定标签.

You can enforce users to apply specific tags with IAM Policies.

例如，您可以将策略附加到拒绝 ec2:RunInstances 操作的用户/角色(最好是角色)，并带有检查标签键和值是否不是您期望的条件.由于此政策使用双重否定，拒绝 和 StringNotLike，因此可能会有点令人困惑，但我相信以这种方式实施标记更容易，因为您可以将此政策添加到角色中具有管理员策略并且仍然有效.

For example you can attach a policy to a user/role (preferably role) that denies the ec2:RunInstances action with a condition that checks if a tag Key and Value are not what you are expecting. It can be a bit confusing as this policy uses double negation, Deny and StringNotLike but I believe its easier to enforce tagging that way as you can add this policy to a role that has the Administrator policy and still work.

    {
        "Sid": "ConditionalEC2creationName",
        "Effect": "Deny",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:*:*:instance/*",
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/Name": "*"
            }
        }
    },
    {
        "Sid": "ConditionalEC2creationEnv",
        "Effect": "Deny",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:*:*:instance/*",
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/Env": "*"
            }
        }
    }

不幸的是，我无法让它在单个块中工作，因为我没有时间对其进行优化.我认为这与ForAllValues、ForAnyValue有关.

Unfortunately i couldn't make it work in a single block because I didn't have time to optimise it. I think it has to do with ForAllValues, ForAnyValue.

ForAllValues – 如果请求中的每个指定键值与策略中的至少一个值都匹配，则条件返回 true.如果请求中没有匹配的键，或者键值解析为空数据集(例如空字符串)，它也会返回 true.

ForAllValues – The condition returns true if there's a match between every one of the specified key values in the request and at least one value in the policy. It also returns true if there is no matching key in the request, or if the key values resolve to an empty data set, such as an empty string.

ForAnyValue – 如果请求中的任何一个键值与策略中的任何一个条件值匹配，则条件返回 true.对于没有匹配的键或空数据集，条件返回 false.

ForAnyValue – The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or an empty data set, the condition returns false.

这篇关于实施标记的 AWS IAM 策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！