Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Unable to deny snapshot creation based on tags

1

A customer wants to deny creating resources unless it has specific tags. I'm currently working on EC2 snapshots, volumes, and instances with the following SCP:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateVolume",
        "ec2:CreateSnapshot"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    }
  ]
}

But this policy doesn't allow me to create EC2 snapshot, regardless if I specify the tag or not, but it works as expected for creating an EBS volume or EC2 instance

Now If I separate the ec2:CreateSnapshot into its own statement then it works as expected like the following:

enter code here
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateVolume"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    },
    {
      "Sid": "GRAPPTAG3",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSnapshot"
      ],
      "Resource": [
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    }
  ]
}

So I'd like to know why this is happening and if there is anyway to combine them into a single statement. Thanks!

Argomenti
ComputazionaliArchiviazione
Tag
Amazon EC2Amazon Elastic Block Store
Lingua
English
AWS-User-0383606
posta 4 anni fa681 visualizzazioni
1 Risposta
0
Risposta accettata

The following policy ensures that only EC2 instances, volumes and snapshots will launched if they have an "application" key with any value except null value.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/application": "?*"
                }
            }
        }
    ]
}
AWS
AWS-User-2530299
con risposta 4 anni fa
  • rePost-User-2123090
    2 anni fa

    I tried to implement something almost exactly like this without luck. Are we sure this works?

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente