amazon-web-services - 创建 EC2 实例时如何设置默认标签？

Question

我正在尝试找到一种方法来在帐户中有人尝试创建 EC2 实例时添加默认标签。现在我已经设置了仅监视标签是否已创建的规则。

我需要一些东西，当创建一个实例时，他们必须填写标签，然后才能继续启动实例。这可能吗？如果是怎么办？

我在网上搜索过，没有任何东西完全符合我的要求。

我看过:https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/

然后我制定了一项政策(如下)，但它仍然没有奏效。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowCreateTaggedVolumes",
        "Effect": "Allow",
        "Action": "ec2:CreateVolume",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:RequestTag/Name": "",
                "aws:RequestTag/Owner": "",
                "aws:RequestTag/Project": "",
                "aws:RequestTag/Schedule": ""
            },
            "ForAllValues:StringEquals": {
                "aws:TagKeys": [
                    "Name",
                    "Owner",
                    "Project",
                    "Schedule"
                ]
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateTags"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:CreateAction": "CreateVolume"
            }
        }
    }
]
}

Answer 1

我使用以下策略代码模拟了相同的场景，其中以下示例策略允许用户启动 EC2 实例并仅在用户应用定义的所有标签时创建 EBS 卷在策略中使用限定符 ForAllValues (Key1 & Key2)。如果用户应用任何未包含在策略中的标记，则该操作将被拒绝。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowToDescribeAll",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*"
        ],
        "Resource": "*"
    },
    {
        "Sid": "AllowRunInstances",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:*::image/*",
            "arn:aws:ec2:*::snapshot/*",
            "arn:aws:ec2:*:*:subnet/*",
            "arn:aws:ec2:*:*:network-interface/*",
            "arn:aws:ec2:*:*:security-group/*",
            "arn:aws:ec2:*:*:key-pair/*"
        ]
    },
    {
        "Sid": "AllowRunInstancesWithRestrictions",
        "Effect": "Allow",
        "Action": [
            "ec2:CreateVolume",
            "ec2:RunInstances"
        ],
        "Resource": [
            "arn:aws:ec2:*:*:volume/*",
            "arn:aws:ec2:*:*:instance/*"
        ],
        "Condition": {
            "StringEquals": {
                "aws:RequestTag/key1": "value1",
                "aws:RequestTag/key2": "value2"
            },
            "ForAllValues:StringEquals": {
                "aws:TagKeys": [
                    "key1",
                    "key2"
                ]
            }
        }
    },
    {
        "Sid": "AllowCreateTagsOnlyLaunching",
        "Effect": "Allow",
        "Action": [
            "ec2:CreateTags"
        ],
        "Resource": [
            "arn:aws:ec2:*:*:volume/*",
            "arn:aws:ec2:*:*:instance/*"
        ],
        "Condition": {
            "StringEquals": {
                "ec2:CreateAction": "RunInstances"
            }
        }
    }
]
}

添加的存储空间

没有添加标签

没有标签启动失败

添加了必需的标签

从标签值开始启动

AWS Reference Guide