Control access to tags - Amazon EC2 Auto Scaling

Control access to tags

Use tags to verify that the requester (such as an IAM user or role) has permissions to add, modify, or delete tags for Amazon EC2 Auto Scaling groups.

The following example IAM policy gives the principal permission to remove only the tag with the temporary key from Amazon EC2 Auto Scaling groups.

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "autoscaling:DeleteTags",
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringEquals": { "aws:TagKeys": ["temporary"] }
            }
        }
    ]
}

For more examples of IAM policies that enforce constraints on the tags specified for Amazon EC2 Auto Scaling groups, see Control which tag keys and tag values can be used.

Note

Even if you have a policy that restricts your users from performing a tagging (or untagging) operation on an Amazon EC2 Auto Scaling group, this does not prevent them from manually changing the tags on the instances after they have launched. For examples that control access to tags on EC2 instances, see Example: Tagging resources in the Amazon EC2 User Guide.