- Newest
- Most votes
- Most comments
You can add an IAM policy to your IAM user that has an allow for ec2:CreateTags
and a deny for ec2:DeleteTags
. Currently, these are the only tag-related permissions available for EC2 service, along with ec2:DescribeTags
.
Note that for existing tags, when you change or update the Tag Key, both ec2:DeleteTags
and ec2:CreateTags
actions will be performed. If you update change or update the Tag Value, ec2:CreateTags
action will be performed.
Check this reference that has an example for using tags: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/
You could use an SCP to manage who is able to change tags. There are some tagging examples on this page : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago