使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Unable to deny snapshot creation based on tags

1

A customer wants to deny creating resources unless it has specific tags. I'm currently working on EC2 snapshots, volumes, and instances with the following SCP:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateVolume",
        "ec2:CreateSnapshot"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    }
  ]
}

But this policy doesn't allow me to create EC2 snapshot, regardless if I specify the tag or not, but it works as expected for creating an EBS volume or EC2 instance

Now If I separate the ec2:CreateSnapshot into its own statement then it works as expected like the following:

enter code here
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateVolume"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    },
    {
      "Sid": "GRAPPTAG3",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSnapshot"
      ],
      "Resource": [
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    }
  ]
}

So I'd like to know why this is happening and if there is anyway to combine them into a single statement. Thanks!

主題
運算儲存空間
標籤
Amazon EC2Amazon Elastic Block Store
語言
English
AWS-User-0383606
已提問 4 年前檢視次數 681 次
1 個回答
0
已接受的答案

The following policy ensures that only EC2 instances, volumes and snapshots will launched if they have an "application" key with any value except null value.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/application": "?*"
                }
            }
        }
    ]
}
AWS
AWS-User-2530299
已回答 4 年前
  • rePost-User-2123090
    2 年前

    I tried to implement something almost exactly like this without luck. Are we sure this works?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容