Tags for security - Amazon EC2 Auto Scaling

Tags for security

Use tags to verify that the requester (such as an IAM user or role) has permissions to create, modify, or delete specific Amazon EC2 Auto Scaling groups. Provide tag information in the condition element of an IAM policy by using one or more of the following condition keys:

  • Use autoscaling:ResourceTag/tag-key: tag-value to allow (or deny) user actions on Amazon EC2 Auto Scaling groups with specific tags.

  • Use aws:RequestTag/tag-key: tag-value to require that a specific tag be present (or not present) in a request.

  • Use aws:TagKeys [tag-key, ...] to require that specific tag keys be present (or not present) in a request.

For example, you could deny access to all Amazon EC2 Auto Scaling groups that include a tag with the key environment and the value production, as shown in the following example.

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [        
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {"autoscaling:ResourceTag/environment": "production"}
            }
        }
    ]
}

For more information about using condition keys to control access to Amazon EC2 Auto Scaling groups, see How Amazon EC2 Auto Scaling works with IAM.