对AWS中的所有服务强制执行标签策略

时间:2020-05-05 08:48:33

标签: amazon-web-services amazon-iam

我需要一个AWS IAM策略来对所有服务强制执行标记。 (不是一一对应)。 有可能吗?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyCreateSecretWithNoProjectTag",
      "Effect": "Deny",
      "Action": "secretsmanager:CreateSecret",
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Project": "true"
        }
      }
    },
    {
      "Sid": "DenyRunInstanceWithNoProjectTag",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Project": "true"
        }
      }
    },
    {
      "Sid": "DenyCreateSecretWithNoCostCenterTag",
      "Effect": "Deny",
      "Action": "secretsmanager:CreateSecret",
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/CostCenter": "true"
        }
      }
    },
    {
      "Sid": "DenyRunInstanceWithNoCostCenterTag",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/CostCenter": "true"
        }
      }
    }
  ]
}

这来自AWS文档。我需要所有aws服务。

2 个答案:

答案 0 :(得分:1)

无法对所有可能的资源强制实施标记。我建议阅读AWS白皮书:

即使使用AWS Organization和TagPolicies,您也​​无法完全实施标签since

强制执行对没有标签创建的资源没有影响。

也仅具有AWS Organization的TagPolicies some resources are supported,而不是AWS中的所有可用资源。

白皮书建议使用CloudFormation和Service Catalog来主动标记资源

答案 1 :(得分:0)

如果该帐户是组织的一部分,则可以通过以下标记策略来强制实施:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html

如果没有,则可以使用必需标签的AWS配置规则:https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html

相关问题
最新问题