By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to enforce Tag presence for AWS RDS

0

i have created following scp to enforce tag key on certain resources. It is working fine in case of EC2,Lambda .But for RDS AWS Console donot provide a way to add tags while creating RDS instance How to accomplish this enforcement in case of RDS This is SCP

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2CreationInfraOwnerTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/InfraOwner": "true"
        }
      }
    },
    {
      "Sid": "DenyEC2CreationProductTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Product": "true"
        }
      }
    },
    {
      "Sid": "DenyEC2CreationNameTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Name": "true"
        }
      }
    },
    {
      "Sid": "DenyLambdaCreationInfraOwnerTag",
      "Effect": "Deny",
      "Action": [
        "lambda:Create*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/InfraOwner": "true"
        }
      }
    },
    {
      "Sid": "DenyLambdaCreationProductTag",
      "Effect": "Deny",
      "Action": [
        "lambda:Create*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Product": "true"
        }
      }
    },
    {
      "Sid": "DenyLambdaCreationNameTag",
      "Effect": "Deny",
      "Action": [
        "lambda:Create*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Name": "true"
        }
      }
    },
        {
        "Sid": "DenyRDSCreationInfraOwnerTag",
        "Effect": "Deny",
        "Action": [
            "rds:CreateDBInstance",
            "rds:CreateDBCluster"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "Null": {
                "aws:RequestTag/InfraOwner": "true"
            }
        }
    },
        {
        "Sid": "DenyRDSCreationProductTag",
        "Effect": "Deny",
        "Action": [
            "rds:CreateDBInstance",
            "rds:CreateDBCluster"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "Null": {
                "aws:RequestTag/Product": "true"
            }
        }
    },
        {
        "Sid": "DenyRDSCreationNameTag",
        "Effect": "Deny",
        "Action": [
            "rds:CreateDBInstance",
            "rds:CreateDBCluster"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "Null": {
                "aws:RequestTag/Name": "true"
            }
        }
    },
        {
        "Sid": "DenyDynamoDBCreationNameTag",
        "Effect": "Deny",
        "Action": [
            "dynamodb:CreateTable"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "Null": {
                "aws:RequestTag/Name": "true"
            }
        }
    }
  ]
}

Also, please check the SCP i am giving tag Name for dynamodb but not able to create it gives an error User: arn:aws:iam::458225596744:root is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:458225596744:table/ashish0001 with an explicit deny in a service control policy

Topics
Security, Identity, & ComplianceManagement & GovernanceDatabase
Tags
AWS Identity and Access ManagementAWS CloudFormationAmazon DynamoDBIAM PoliciesService Control Policy
Language
English
ashish0093
asked a year ago1101 views
1 Answer
0

There are a few issues going on here.

  1. For DynamoDB - You will not be able to perform the action for creating the table as currently listed due to not having the permission to TagResource and it is likely you will need UpdateTable and UntagResource depending on if there is an error in tagging. If you intend to create global tables, you will also need to add the CreateGlobalTable IAM permission as well.
  2. For the RDS requirement, it would be recommended to create a CloudFormation template with the required tags as parameters for input that are required. When an RDS instance or cluster is required, have the RDS template create the new instance or cluster and the tags will be enforced and the SCP will deny the removal of the tags from RDS. You can use the solution outlined in this documentation that provides notifications for RDS creation and tag enforcement.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/enforce-automatic-tagging-of-amazon-rds-databases-at-launch.html

AWS
Joe Melfi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content