- Newest
- Most votes
- Most comments
Okay, You would like to Force users to manage their own resources, There are multiple ways, However here is a simple solution.
- Deploy a Lambda Function to Force the TAGS for the each resource created. Example reference
- Assume that USER_A create EC2_A - Lambda function will need to trigger to add TAG to the resource like "Owner": "USER_A"
- Lambda Functio helps if user missed to add the TAG
- You can create IAM policy Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CreatedBy": "${aws:username}"
}
}
}
]
}
AWS doesn't automatically establish tags for you, or follow who created which resource. So the tagging suggested is the only way to do so.
You can write a policy that requires the tags to be put in, or the create of resource will fail, then you don't need a lambda to go tag resources after they've been created:
Along these lines:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "${aws:username}"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/CreatedBy": "true"
}
}
}
]
}
Hi xanthic, Thank you for your response. This is a good approach, but based on Kallu's response, it may not be suitable for a very small portion of services.
While the ask may sound simple & reasonable it isn't simple (or even possible) to do so it would cover all the cases. If you limit it only to EC2 instances then something like @xanthic suggested would work. But if you need more generic solution, not all resources support tagging at creation so you can not force tag to be present when creating a resource. And some (niche?) services don't support tagging at all. If you can trust your users to do tagging right after the resource creation then it becomes easier in generic case.
Another issue you will face rather sooner than later, is at some point users want to create an IAM policy themselves to assign permissions to instance or function they create. This opens a can-of-worms as it then allows also create policies that let them manage any resource. You can do a generic solution, using SCPs, building "walled gardens"* where user can manage their own resources, including IAM policies. But as tagging isn't mandatory it can not be 100% fool-proof.
Recommended way to do strong separation between 2 workloads is have them in different AWS accounts. This is a bit management overhead but will give you both freedom to do what you need and ensure separation not only in access but also in billing.
Hi Kallu Thank you for your response. I believe I may need some time to digest the methods you've provided.
Relevant content
- Accepted Answerasked a month ago
- How do I update a CloudFormation stack that's failing because of a resource that I manually deleted?
AWS OFFICIALUpdated 3 years ago - AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 4 days ago
- AWS OFFICIALUpdated a year ago
Hi GK, Thank you for your response. Does this imply that I need to establish tags for my resources beforehand? Or can AWS determine the creator of resources and achieve my objectives through policies? Based on the example you provided, am I correct in understanding that I am restricting resources with a Tag key 'CreatedBy' and value '${aws:username}'?
@kerokero, You need to implement TAGS solution before creating IAM policies, Because if policy is present there are NO TAGS it doesnt make any sense to the solution, as suggested my answer you can implement automation using Lambda function [Because if USER missed TAG lambda can take care of this task]that can FORCE TAGS to the Ec2 instances once lambda is implemented you can add policies to the IAM Users or Groups. The ${aws:username} is an IAM policy variable provided by AWS Identity and Access Management (IAM). It's a dynamic variable that resolves to the username of the IAM user or the role making the request.
Hi, GK May I inquire if this method is applicable to all AWS services? While EC2 is used as an example, the primary hope is that users can solely operate on their own resources.