Amazon web services 对aws中的所有服务强制执行标记策略
我需要一个AWS IAM策略来强制所有服务的标记。(不是一个接一个)。 可能吗Amazon web services 对aws中的所有服务强制执行标记策略,amazon-web-services,amazon-iam,Amazon Web Services,Amazon Iam,我需要一个AWS IAM策略来强制所有服务的标记。(不是一个接一个)。 可能吗 { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyCreateSecretWithNoProjectTag", "Effect": "Deny", "Action": "secretsmanager:CreateSecret", "Resource": "*", "Conditio
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCreateSecretWithNoProjectTag",
"Effect": "Deny",
"Action": "secretsmanager:CreateSecret",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
},
{
"Sid": "DenyRunInstanceWithNoProjectTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
},
{
"Sid": "DenyCreateSecretWithNoCostCenterTag",
"Effect": "Deny",
"Action": "secretsmanager:CreateSecret",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
},
{
"Sid": "DenyRunInstanceWithNoCostCenterTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
}
]
}
这来自AWS文档。我需要所有aws服务。如果帐户是组织的一部分,则可以通过标记策略强制执行:
如果没有,您可以使用AWS配置规则中所需的标记:无法预先对所有可能的资源强制执行标记。我建议阅读AWS白皮书:
白皮书建议使用CloudFormation和Service Catalog来主动标记资源 您的示例策略是AWS组织的SCP。如果您的帐户不在AWS组织中,则无法使用它。