堆栈内存溢出
  简体   繁体   English

SCP创建一个没有标签或有特定标签的安全组

[英]SCP to create a security group with no tag or with specific tag

 原文  2022-02-06 21:32:35       amazon-web-services/ amazon-iam

问题描述

I want to create an SCP (service control policy) that should allow creating a security group if no tags are present.我想创建一个 SCP(服务控制策略),如果没有标签,它应该允许创建一个安全组。 If a tag is created, it should have a specific value.如果创建了一个标签,它应该有一个特定的值。 For example, if 'bu' is a tag, the value should always be 'finance' only.例如,如果“bu”是一个标签,则值应始终仅为“finance”。 How this can be done.如何做到这一点。 I have done this bit:我做了这一点:

{
  "Sid": "SGBu",
  "Effect": "Deny",
  "Action": [
    "ec2:CreateSecurityGroup"
  ],
  "Resource": [
    "arn:aws:ec2:*:*:security-group/*"
  ],
  "Condition": {
    "ForAnyValue:Null": {
      "aws:RequestTag/bu": "false"
    }
  }
}

How can I add an OR condition along with this so that the value has to be 'finance' if 'bu' tag is added?如何添加一个 OR 条件,以便在添加“bu”标签时该值必须为“finance”?

Thank you谢谢

2 个解决方案

解决方案1
 0 已采纳  2022-02-07 07:34:09

You can have multiple Conditions in a SCP but these Conditions will only work as AND.您可以在一个 SCP 中有多个条件,但这些条件仅适用于 AND。 But Each Condition it self can have more than one key/value pair and the relationship between these key/value pairs is OR.但是每个 Condition 本身可以有多个键/值对,这些键/值对之间的关系是或。

Here is an example: (See the last Condition IpAdressess)下面是一个示例:(请参阅最后一个条件 IpAdressess)

"Condition" :  {
      "DateGreaterThan" : {
         "aws:CurrentTime" : "2019-07-16T12:00:00Z"
       },
      "DateLessThan": {
         "aws:CurrentTime" : "2019-07-16T15:00:00Z"
       },
       "IpAddress" : {
          "aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]
      }
}

Here is AWS docs on it: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html这是关于它的 AWS 文档: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html

解决方案2
 0  2022-02-07 21:03:06

The best approach is to combine SCP with Tag Policies .最好的方法是将SCP 与 Tag Policies结合起来。

In this way, SCP are used to enforce tagging at resource creation and Tag Policy is used to standarize values of determined tags.这样,SCP 用于在资源创建时强制标记,Tag Policy 用于标准化确定的标记的值。

With Tag Policies you can define a list of values allowed for certain tags, enforce it for the services you select and also is case-sensitive (SCP is not case-sensitive on condition keys).使用标签策略,您可以定义特定标签允许的值列表,为您的服务强制执行它 select 并且还区分大小写(SCP 在条件键上不区分大小写)。

For your scenario the Tag policy could be:对于您的场景,标签策略可以是:

  • Tag key: bu标签键:bu
  • Values: finance价值观:财务
  • Resource types to enforce: ec2:securitygroup要实施的资源类型:ec2:securitygroup

示例标签策略

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS SCP 执行标签策略失败 - AWS SCP to enforce Tag Policy fails CloudFormation - 根据 vpc 标签值将安全组动态分配给 vpc - CloudFormation - Assign a security group to a vpc dynamically based on a vpc tag value 如何使用特定标签版本更新 ecs 服务? - How to update an ecs service with specific tag version? 在 AWS 安全组中创建多个规则 - Create multiple rules in AWS security Group AWS CLI - 创建脚本以将我的 IP 添加到安全组 - AWS CLI - Create script to add my IP to security group 如何在 AWS cli 中获取所有实例和特定标签的列表 - How to get a list of all instances and a specific tag in AWS cli Google Container Registry:防止一组用户推送保留标签名称 - Google Container Registry : Prevent a group of users to push reserved tag names AWS:SCP 允许特定 OU 的特定服务 - AWS : SCP allow specific service for a specific OU 如何使用 boto3 标记现有的 AWS 自动缩放组 - how to tag an existing AWS autoscaling group with boto3 安全组 aws 特定 ip http/https 阻止一切 - security group aws specific ip http/https blocks everything
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM