EC2 IAM policy to require tags

0 votes

AWS just released required tag support for EC2/EBS: New – Tag EC2 Instances & EBS Volumes on Creation.

However, the example is given only checks if tags have a fixed value which isn't useful to us because our users can enter free form values for required tags. How can a policy be written to check tags are present?

For example, we need something like this:

"Statement": [
    {
      "Sid": "DenyMissingTags",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
      "Condition": {
        "StringExists": [
          "aws:RequestTag/costcenter",
          "aws:RequestTag/stack",
         ]
       }
     }
]

Obviously, I made up StringExists

May 15, 2019 in AWS by ArchanaNagur
• 2,360 points
1,588 views

1 answer to this question.

0 votes
Use StringLike or StringNotLike to do your work
  "Condition": {
    "StringEquals": {
      "aws:RequestTag/costcenter": "115",
      "aws:RequestTag/stack": "prod"
     },
     "ForAllValues:StringEquals": {
         "aws:TagKeys": ["costcenter","stack"]
     }
   }
answered May 15, 2019 by sunshine
• 1,300 points

Related Questions In AWS

0 votes
1 answer
0 votes
1 answer

How to set up a SPF(Sender Policy Framework) for AWS EC2 instance?

Setting up a SPF record is pretty ...READ MORE

answered Aug 16, 2018 in AWS by Archana
• 4,170 points
1,644 views
0 votes
1 answer

How to launch an EC2 instance with IAM-Role?

The credentials you are using from your ...READ MORE

answered Sep 3, 2018 in AWS by Archana
• 4,170 points
2,980 views
0 votes
1 answer

How to attach a managed policy to an IAM group?

Hi@akhtar, You can attach the specified managed policy to ...READ MORE

answered Nov 3, 2020 in AWS by MD
• 95,460 points
588 views
0 votes
1 answer

How to attach a managed policy to an IAM user?

Hi@akhtar, You can attach the specified managed policy ...READ MORE

answered Nov 3, 2020 in AWS by MD
• 95,460 points
608 views
0 votes
1 answer
0 votes
1 answer

Adding Keypair to existing EC2 instance

No you can't. The reason is KeyPair ...READ MORE

answered Apr 8, 2018 in AWS by code_ninja
• 6,300 points
1,332 views
0 votes
2 answers

How to test credentials for AWS Command Line Tools

This command always works regardless of the ...READ MORE

answered Aug 8, 2018 in AWS by anonymous
6,027 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP