The infrastructure team at DevOpSpace always tries to prove that they’re different from other organizations. And thus the team – when they don’t have much things going around – invest time in learning and doing proof of concepts which will help the team to understand how things work, which results in customer appreciation for the team. The below JSON documents are created by our team to enforce AWS tags while creating AWS resources, and we share this to you too!!
Both the documents are IAM policies – one related to EC2 instances and the other related to EBS Volumes. Coming to the first one:
Deny Creating EC2 Instance Without AWS Tags
This JSON based IAM policy, enforces tagging EC2 instances at the time of creation. It restricts creating EC2 instance without pre-defined “tag keys”. This eliminates the need for AWS Lambda script that would automate the tagging process, when you don’t want to spend additional cost on that.
The infrastructure team at DevOpSpace always tries to prove that they’re different from other organizations. And thus the team – when they don’t have much things going around – invest time in learning and doing proof of concepts which will help the team to understand how things work, which results in customer appreciation for the team. The below JSON documents are created by our team to enforce AWS tags while creating AWS resources, and we share this to you too!!
Both the documents are IAM policies – one related to EC2 instances and the other related to EBS Volumes. Coming to the first one:
Deny Creating EC2 Instance Without AWS Tags
This JSON based IAM policy, enforces tagging EC2 instances at the time of creation. It restricts creating EC2 instance without pre-defined “tag keys”. This eliminates the need for AWS Lambda script that would automate the tagging process, when you don’t want to spend additional cost on that.
“_comment”: “Tag based EC2 instance creation created by Team DevOpSpace”
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “EC2CreateInstanceWithTag”,
“Effect”: “Deny”,
“Action”: “ec2:RunInstances”,
“Resource”: “arn:aws:ec2:us-east-1:AWSaccount:instance/*”,
“Condition”: {
“StringNotLike”: {
“aws:RequestTag/environment”: “*”
}
}
}
]
}
Deny Creating EBS Volumes Without AWS Tags
This JSON based IAM policy, enforces tagging EBS Volumes at the time of creation. It restricts creating EBS volumes without pre-defined “tag keys”. This would ensure that there will be tags whenever an EBS volume is created.
“_comment”: “Tag based EBS volume creation created by Team DevOpSpace”
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “EBSVolumeWithTag”,
“Effect”: “Deny”,
“Action”: “ec2:CreateVolume”,
“Resource”: “arn:aws:ec2:us-east-1:AWSaccount:volume/*”,
“Condition”: {
“ForAllValues:StringEqualsIfExists”: {
“aws:RequestTag/environment”: “*”
}
}
}
]
}
There are variables in the code which has to be replaced appropriate values. The code even works for a user who has complete allow permission in EC2/EBS. It has to be noted that we don’t have any control over tag values. Try this out and let us know how it goes.