需要标签的 EC2 IAM 策略 [英] EC2 IAM policy to require tags

问题描述

AWS 刚刚发布了 EC2/EBS 所需的标签支持:新 – 标记 EC2 实例 &创建时的 EBS 卷.

AWS just released required tag support for EC2/EBS: New – Tag EC2 Instances & EBS Volumes on Creation.

然而，给出的示例仅检查标签是否具有固定值，这对我们没有用，因为我们的用户可以为所需标签输入自由形式的值.如何编写策略来检查标签是否存在?

However, the example given only checks if tags have a fixed value which isn't useful to us because our users can enter free form values for required tags. How can a policy be written to check tags are present?

例如，我们需要这样的东西:

For example, we need something like this:

"Statement": [
    {
      "Sid": "DenyMissingTags",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
      "Condition": {
        "StringExists": [
          "aws:RequestTag/costcenter",
          "aws:RequestTag/stack",
         ]
       }
     }
]

显然，我编造了StringExists

推荐答案

AWS 支持提供了一个我确认有效的解决方案.需要两个单独的条件块来确保仅存在 1 个标签时拒绝操作:

AWS support provided a solution I confirmed to work. Two separate condition blocks are needed to ensure the action is denied when only 1 tag is present:

{
    "Sid": "AllowLaunchOnlyWithRequiredTags1",
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
    "Condition": {
        "Null": {"aws:RequestTag/costcenter": "true"}
    }
},
{
    "Sid": "AllowLaunchOnlyWithRequiredTags2",
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
    "Condition": {
        "Null": {"aws:RequestTag/stack": "true"}
    }
}

这篇关于需要标签的 EC2 IAM 策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！