Unable to create Tag to restrict resource deployment

Requirement: We are trying to restrict users resource provisioning with Tags and any instance created should be successful only if Key1 = "UserID"

Followed this article but it is not working

https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-tags-restrict/

Topics

Compute

Tags

Amazon EC2

Language

English

AWS-User-2034690

asked 2 years ago278 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

That article should be fine, though it's a bit confusing! As it says, "Note: Modify key1 and value1 in the example policies to include the tags and values that apply to your resources". So are you using their examples with "key1" replaced by "UserID"?

Since your tag is "UserID" I'm guessing you want to make sure any instance created has this tag key, but you don't care about the specific value. So the section "Launch EC2 instances that have at least one matching tag key" is what you're after? If so, e.g.:

"Condition": {
  "ForAnyValue:StringEquals": {
    "aws:TagKeys": [
      "UserID"
    ]
  }
}

EXPERT

skinsman

answered 2 years ago

AWS-User-2034690
2 years ago
Hi,

Tried with changes mentioned above still able to create instances without tag

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDescribeAll", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "" }, { "Sid": "AllowRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:::image/", "arn:aws:ec2:::snapshot/", "arn:aws:ec2:::subnet/", "arn:aws:ec2:::network-interface/", "arn:aws:ec2:::security-group/", "arn:aws:ec2:::key-pair/" ] }, { "Sid": "AllowRunInstancesWithRestrictions", "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:::volume/", "arn:aws:ec2:::instance/", "arn:aws:ec2:::network-interface/" ], "Condition": { "StringEquals": { "aws:RequestTag/key1": "value1", "aws:RequestTag/key2": "value2" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "key1", "

Relevant content

How to enforce tags while creating any kind of resource in AWS?
satheeshkumaru
asked 2 years ago
SCP to restrict create resource
Accepted Answer
JD
asked 2 months ago
Organisation level tag policies are not enforcing tags while creating resources
keyanke
asked 6 months ago
Restricting user access to AWS resources within an account
AWS-User-2695166
asked 2 years ago
How do I restrict access so that users launch Amazon EC2 instances from only tagged AMIs?
AWS OFFICIALUpdated 4 months ago
How can I use SCPs and tag policies to prevent users in my AWS Organizations member accounts from creating resources?
AWS OFFICIALUpdated 2 years ago
How do I use the PrincipalTag, ResourceTag, RequestTag, and TagKeys condition keys to create an IAM policy for tag-based restriction?
AWS OFFICIALUpdated 2 months ago
How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?
AWS OFFICIALUpdated 2 years ago
Provisioning with Tags on VMware Cloud on AWS using Terraform
EXPERT
Puneet Arora
published 10 months ago
How to add tags to existing jobs in AWS Elemental MediaConvert
EXPERT
Bo_L
published 5 months ago