需要标签的 EC2 IAM 策略 [英] EC2 IAM policy to require tags
问题描述
AWS 刚刚发布了 EC2/EBS 所需的标签支持:新 – 标记 EC2 实例 &创建时的 EBS 卷.
AWS just released required tag support for EC2/EBS: New – Tag EC2 Instances & EBS Volumes on Creation.
然而,给出的示例仅检查标签是否具有固定值,这对我们没有用,因为我们的用户可以为所需标签输入自由形式的值.如何编写策略来检查标签是否存在?
However, the example given only checks if tags have a fixed value which isn't useful to us because our users can enter free form values for required tags. How can a policy be written to check tags are present?
例如,我们需要这样的东西:
For example, we need something like this:
"Statement": [
{
"Sid": "DenyMissingTags",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"StringExists": [
"aws:RequestTag/costcenter",
"aws:RequestTag/stack",
]
}
}
]
显然,我编造了StringExists
推荐答案
AWS 支持提供了一个我确认有效的解决方案.需要两个单独的条件块来确保仅存在 1 个标签时拒绝操作:
AWS support provided a solution I confirmed to work. Two separate condition blocks are needed to ensure the action is denied when only 1 tag is present:
{
"Sid": "AllowLaunchOnlyWithRequiredTags1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"Null": {"aws:RequestTag/costcenter": "true"}
}
},
{
"Sid": "AllowLaunchOnlyWithRequiredTags2",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"Null": {"aws:RequestTag/stack": "true"}
}
}
这篇关于需要标签的 EC2 IAM 策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!