By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

User create services already tagged

0

Hello everyone,

We have a user from outside our organization who will do some things in the AWS console, such as Glue, Athena, and lambda. However, I want to know if there is a way for me to set the user, or in his policy, that all services he creates will be tagged by these tags that I set.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Account Management
Language
English
Marcelo
asked a year ago270 views
3 Answers
0

Hi

  • Here is the below Example you can define a condition key that checks for the presence of specific tags on the resource being created
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:*",
        "athena:*",
        "lambda:*"
      ],
      "Resource": [
        "arn:aws:glue:*:*:glue:table",  //  resource for Glue
        "arn:aws:athena:*:*:workgroup",  // resource for Athena
        "arn:aws:lambda:*:*:function"    // resource for Lambda
      ],
      "Condition": {
        "StringLike": {
          "aws:resourceTag/tagName1": "value1",
          "aws:resourceTag/tagName2": "value2"
        }
      }
    }
  ]
}
profile picture
EXPERT
Ganesh Kudikala
answered a year ago
  • Marcelo
    a year ago

    Thanks, i'll try that

  • AWS-SUM EXPERT
    a year ago

    To expand on that policy piece, if you were to provide that external user access to a IAM role in your AWS account with such a tag-based policy attached, then they would not be able to create/view or edit any resources that did not have those tags that you defined. Thus the user will be mandated to create resources with those specified tags, achieving your end goal :)

0

Hello Marcelo,

As far as I know, there are no native solutions that can automate the tagging based on user, but you can enforce tagging in your environment as described here.

With that said, AWS provides building blocks that you can use to tag the resources automatically as described here and here

Let me know if this helps.

Best regards, Mukul Dharwadkar

profile picture
Mukul Dharwadkar
answered a year ago
profile pictureAWS
EXPERT
AWS-SUM
reviewed a year ago
  • Marcelo
    a year ago

    Thanks! I'll check the links

0

There is another way to look at it. How about if you set a permission boundary or Service Control Policy(SCP), which restricts user to create resources if not appropriately tagged.

Refer following blog and re:Post Knowledge Center Article:

Comment here if you have additional questions. Happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content