AWS IAM Policy to Enforce Tagging

Question

Is there a way to enforce tagging while creating EC2-Instances? I,e user cannot launch an instance without certain tags. And can I use that tags to give control to particular instance depending on the tag?

Answer 1

I had a similar use case while I was working for a customer. The answer is yes you can !

You can enforce users to apply specific tags with IAM Policies.

For example you can attach a policy to a user/role (preferably role) that denies the ec2:RunInstances action with a condition that checks if a tag Key and Value are not what you are expecting. It can be a bit confusing as this policy uses double negation, Deny and StringNotLike but I believe its easier to enforce tagging that way as you can add this policy to a role that has the Administrator policy and still work.

    {
        "Sid": "ConditionalEC2creationName",
        "Effect": "Deny",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:*:*:instance/*",
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/Name": "*"
            }
        }
    },
    {
        "Sid": "ConditionalEC2creationEnv",
        "Effect": "Deny",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:*:*:instance/*",
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/Env": "*"
            }
        }
    }

Unfortunately i couldn't make it work in a single block because I didn't have time to optimise it. I think it has to do with ForAllValues , ForAnyValue .

ForAllValues – The condition returns true if there's a match between every one of the specified key values in the request and at least one value in the policy. It also returns true if there is no matching key in the request, or if the key values resolve to an empty data set, such as an empty string.

ForAnyValue – The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or an empty data set, the condition returns false.

Answer 2

You can achieve this using Amazon Config.

Select Rules -> Add Rule -> required tag

You won't prevent someone from creating an instance without a tag, but you will be able to see it flagged in the Config dashboard, or you can trigger a SNS action to notify you via email.

Answer 3

Yes, you have to use the "ec2:CreateAction" condition to limit the tag creating while creating the resource (instance/volume) and "aws:RequestTag" condition to control which tag key-value is required to create the resource.

There are example policies here and for more information, please refer the blog .

Answer 4

Yes, it is very much possible for EC2 Creation with an option to choose from the tag values, Give it a try

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/Env": [
                        "Dev",
                        "Prod"
                    ]
                }
            }
        }
    ]
}