Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso

IAM Tag policy for EC2 instances

0

How can I prevent a specific IAM user to delete or change tags assigned to an EC2 instance? I am OK with the user to be able to add new tags.

Thanks!

2 Respuestas
1
Respuesta aceptada

You can add an IAM policy to your IAM user that has an allow for ec2:CreateTags and a deny for ec2:DeleteTags. Currently, these are the only tag-related permissions available for EC2 service, along with ec2:DescribeTags.

Note that for existing tags, when you change or update the Tag Key, both ec2:DeleteTags and ec2:CreateTags actions will be performed. If you update change or update the Tag Value, ec2:CreateTags action will be performed.

Check this reference that has an example for using tags: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/

profile picture
respondido hace 2 años
profile picture
EXPERTO
revisado hace 5 meses
0

You could use an SCP to manage who is able to change tags. There are some tagging examples on this page : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html

respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas