AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

How to enforce Tag presence for AWS RDS

0

i have created following scp to enforce tag key on certain resources. It is working fine in case of EC2,Lambda .But for RDS AWS Console donot provide a way to add tags while creating RDS instance How to accomplish this enforcement in case of RDS This is SCP

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2CreationInfraOwnerTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/InfraOwner": "true"
        }
      }
    },
    {
      "Sid": "DenyEC2CreationProductTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Product": "true"
        }
      }
    },
    {
      "Sid": "DenyEC2CreationNameTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Name": "true"
        }
      }
    },
    {
      "Sid": "DenyLambdaCreationInfraOwnerTag",
      "Effect": "Deny",
      "Action": [
        "lambda:Create*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/InfraOwner": "true"
        }
      }
    },
    {
      "Sid": "DenyLambdaCreationProductTag",
      "Effect": "Deny",
      "Action": [
        "lambda:Create*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Product": "true"
        }
      }
    },
    {
      "Sid": "DenyLambdaCreationNameTag",
      "Effect": "Deny",
      "Action": [
        "lambda:Create*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Name": "true"
        }
      }
    },
        {
        "Sid": "DenyRDSCreationInfraOwnerTag",
        "Effect": "Deny",
        "Action": [
            "rds:CreateDBInstance",
            "rds:CreateDBCluster"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "Null": {
                "aws:RequestTag/InfraOwner": "true"
            }
        }
    },
        {
        "Sid": "DenyRDSCreationProductTag",
        "Effect": "Deny",
        "Action": [
            "rds:CreateDBInstance",
            "rds:CreateDBCluster"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "Null": {
                "aws:RequestTag/Product": "true"
            }
        }
    },
        {
        "Sid": "DenyRDSCreationNameTag",
        "Effect": "Deny",
        "Action": [
            "rds:CreateDBInstance",
            "rds:CreateDBCluster"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "Null": {
                "aws:RequestTag/Name": "true"
            }
        }
    },
        {
        "Sid": "DenyDynamoDBCreationNameTag",
        "Effect": "Deny",
        "Action": [
            "dynamodb:CreateTable"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "Null": {
                "aws:RequestTag/Name": "true"
            }
        }
    }
  ]
}

Also, please check the SCP i am giving tag Name for dynamodb but not able to create it gives an error User: arn:aws:iam::458225596744:root is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:458225596744:table/ashish0001 with an explicit deny in a service control policy

주제
보안, 신원 및 규정 준수관리 및 거버넌스데이터베이스
태그
AWS 자격 증명 및 액세스 관리AWS CloudFormation아마존 DynamoDBIAM 정책서비스 제어 정책
언어
English
ashish0093
질문됨 일 년 전1132회 조회
1개 답변
0

There are a few issues going on here.

  1. For DynamoDB - You will not be able to perform the action for creating the table as currently listed due to not having the permission to TagResource and it is likely you will need UpdateTable and UntagResource depending on if there is an error in tagging. If you intend to create global tables, you will also need to add the CreateGlobalTable IAM permission as well.
  2. For the RDS requirement, it would be recommended to create a CloudFormation template with the required tags as parameters for input that are required. When an RDS instance or cluster is required, have the RDS template create the new instance or cluster and the tags will be enforced and the SCP will deny the removal of the tags from RDS. You can use the solution outlined in this documentation that provides notifications for RDS creation and tag enforcement.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/enforce-automatic-tagging-of-amazon-rds-databases-at-launch.html

AWS
Joe Melfi
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠