- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi, you may want to follow this detailled blog post: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
It combines SCPs and tag policies. Having proper tag policies in place is key as per post:
When a tag policy is applied to your AWS account, users are unable
to create resources using noncompliant tags.
You can enforce specific tag policies by choosing the option ‘prevent
non-compliant operations for this tag’, and selecting the resource types
that supports tag policy enforcement.
Please, also have a look at https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-best-practices.html
Resources that have never had tags attached to them don't show as noncompliant
in reports. Account administrators can still create untagged resources. In some cases,
you can use a service control policy (SCP) to set guardrails around resource creation
requests. For an example SCP, see Require a tag on specified created resources. To
learn whether an AWS service supports controlling access using tags, see AWS Services
that Work with IAM in the IAM User Guide. Look for the services that have Yes in the
Authorization based on tags column. Choose the name of the service to view the
authorization and access control documentation for that service.
So, you will have to check this table to see if the services that you use supports controlling access using tags.
Best,
Didier
Hello!
It is hard to help with specifics in this case, but I would double-check if you applied your SCPs correctly. The overview is here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
SCPs affect member accounts in your organization, not users in a management account. You will need to test your policies with a member account, as if you try the management account you may encounter your issue where you can still create untagged resources.
There are also exceptions to what SCPs can affect, detailed here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#not-restricted-by-scp
Check to see if you are attempting to use SCPs to do any of these things.
I would also recommend checking if you are using the condition operator that would achieve your use-case of blocking creation without tags. Currently the StringEquals operator would only deny creation with those specific tags. You can double-check which conditions do what with this resource: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
This blog post also may be of use as it goes through creating a tagging strategy step-by-step: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
Again, it is hard to troubleshoot the exact issue without specific details. If you are still encountering issues, I would suggest perhaps reaching out to AWS Technical Support with specifics on your use case.
I want to enforce tagging in such a way that user should not be able to create resource if it is not tagged(any key value).
While this is a valid ask, it is impossible to achieve because resource creation and tagging are not always an atomic API operation but 2 separate calls. If you are willing to limit yourself to small number of services, it would be possible to create an IAM policy to do this but your would have to explicitely list create actions with appropriate tags in conditions (and then hit the maximum length of policy pretty soon).
I would recommend focusing on tagging policies to retain high quality tagging when tags are applied, and then use reporting (and other indirect methods) to encourage applying the tags voluntary.
it took my a while but i have this working:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyLambda", "Effect": "Deny", "Action": [ "lambda:CreateFunction" ], "Resource": [ "*" ], "Condition": { "Null": { "aws:RequestTag/team": "true" } } } ] }
make sure it is attached to the right role as well!
And logout and back in to make sure the new policy is enabled
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 3 anni fa
Thank you, I have seen this blog earlier but the SCPs mentioned there are not working as expected. Tag policies are working fine and it only prevent users from creating non compliant tags. I want to enforce tagging in such a way that user should not be able to create resource if it is not tagged(any key value). User should give tag to the resource.