Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo

IAM Tag policy for EC2 instances

0

How can I prevent a specific IAM user to delete or change tags assigned to an EC2 instance? I am OK with the user to be able to add new tags.

Thanks!

2 Risposte
1
Risposta accettata

You can add an IAM policy to your IAM user that has an allow for ec2:CreateTags and a deny for ec2:DeleteTags. Currently, these are the only tag-related permissions available for EC2 service, along with ec2:DescribeTags.

Note that for existing tags, when you change or update the Tag Key, both ec2:DeleteTags and ec2:CreateTags actions will be performed. If you update change or update the Tag Value, ec2:CreateTags action will be performed.

Check this reference that has an example for using tags: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/

profile picture
con risposta 2 anni fa
profile picture
ESPERTO
verificato 5 mesi fa
0

You could use an SCP to manage who is able to change tags. There are some tagging examples on this page : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html

con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande