IAM Tag policy for EC2 instances

0

How can I prevent a specific IAM user to delete or change tags assigned to an EC2 instance? I am OK with the user to be able to add new tags.

Thanks!

2 Answers
1
Accepted Answer

You can add an IAM policy to your IAM user that has an allow for ec2:CreateTags and a deny for ec2:DeleteTags. Currently, these are the only tag-related permissions available for EC2 service, along with ec2:DescribeTags.

Note that for existing tags, when you change or update the Tag Key, both ec2:DeleteTags and ec2:CreateTags actions will be performed. If you update change or update the Tag Value, ec2:CreateTags action will be performed.

Check this reference that has an example for using tags: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/

profile picture
answered 2 years ago
profile picture
EXPERT
reviewed 4 months ago
0

You could use an SCP to manage who is able to change tags. There are some tagging examples on this page : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions