Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Tagging policy at account level

0

I tried to define a tagging policy (for ec2 instance) at Org level and have attached to a child account. JSON looks something like below. I’m not able to see any tags after instance creation in the child account. However, if I try to manually add the tag for same key, it does evaluate as per the policy . Say - I can define a tag with key as ‘Function’ and value as ‘Devops’ , I’m not allowed add a tag with other value with the Function as key . Is this the expected behaviour, any leads ?

{
    "tags": {
        "Function": {
            "tag_key": {  
                "@@assign": "Function"  
            },  
            "tag_value": {  
                "@@assign": [  
                    "Devops",  
                    "DevOps"  
                ]  
            },  
            "enforced_for": {  
                "@@assign": [  
                    "ec2:elastic-ip",  
                    "ec2:instance",  
                    "ec2:volume"  
                ]  
            }  
        },  
        "Name": {  
            "tag_key": {  
                "@@assign": "Name"  
            },  
            "enforced_for": {  
                "@@assign": [  
                    "ec2:instance"  
                ]  
            }  
        },  
        "Instance Owner": {  
            "tag_key": {  
                "@@assign": "Instance Owner"  
            },  
            "tag_value": {  
                "@@assign": [  
                    "*example.com"
                ]
            },
            "enforced_for": {
                "@@assign": [
                    "ec2:instance"
                ]
            }
        }
    }
}
Themen
Management & Unternehmensführung
Tags
AWS Organisationen
Sprache
English
AWS-User-8924015
gefragt vor 4 Jahren585 Aufrufe
1 Antwort
0
Akzeptierte Antwort

This is the expected behaviour; Tag Policies only enforce values for tags which are present and do not enforce the presence of a tag: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-enforcement.html

As alternatives you could specify in the IAM policy that the tag must be specified on creation of the resource, and/or you can use AWS Config to report compliance on tag presence or not.

profile pictureAWS
EXPERTE
James_S
beantwortet vor 4 Jahren
profile picture
EXPERTE
Giovanni Lauria
überprüft vor 23 Tagen

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt