EC2 Instance launch only if correctly tagged
This can apply to EC2 instances, EBS volumes or both. You can tweak it to work for only key present, key-value present and key value exact match.
Step 1 – Create a policy as described below
Example Policy – Only launch EC2 if it has all the matching tag keys and values (see the ‘condition’ in the json below)
Step 2 – Create a Group to assign the Policy to
Example Policy – Only launch EC2 if it has all the matching tag keys and values (see the ‘condition’ in the json below)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToDescribeAll",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/key1": "value1",
"aws:RequestTag/key2": "value2"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"key1",
"key2"
]
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.
Anuj Varma – who has written 1260 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.
Leave a Reply