IAM Tag policy for EC2 instances

0

How can I prevent a specific IAM user to delete or change tags assigned to an EC2 instance? I am OK with the user to be able to add new tags.

Thanks!

2 回答
1
已接受的回答

You can add an IAM policy to your IAM user that has an allow for ec2:CreateTags and a deny for ec2:DeleteTags. Currently, these are the only tag-related permissions available for EC2 service, along with ec2:DescribeTags.

Note that for existing tags, when you change or update the Tag Key, both ec2:DeleteTags and ec2:CreateTags actions will be performed. If you update change or update the Tag Value, ec2:CreateTags action will be performed.

Check this reference that has an example for using tags: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/

profile picture
joahna
已回答 1 年前
0

You could use an SCP to manage who is able to change tags. There are some tagging examples on this page : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html

已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则