- 최신
- 최다 투표
- 가장 많은 댓글
Hi There
If you are not using tags, how are you differentiation between dev, stage, and prod resources if everything is in one account? Example, how do you know which is a dev EC2 instance vs a Prod ec2 instance? You need to use some form of tagging, and then create permissions policies and roles based on those tags. See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
We also recommend adopt a multi-account strategy, and separate workloads into different AWS accounts. This way, you use the AWS Account as the security boundary. Example, all Dev resources go into the Dev account, and you grant permissions to the account to your dev users, rather than individual resources. You can use tag based policies above to further reduce the permissions to adhere to the principle of least-privilege. See https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html
Thanks. One more question. Your answer with tags relates to existing resources. But what if to create new resources? Is there a chance to apply the policy to prevent resources creation without tags?
Absolutely. You can use tag policies and SCP to disallow the creation of new resources unless the tags that you specify are included. See https://aws.amazon.com/premiumsupport/knowledge-center/organizations-scp-tag-policies/