AWS Tagging Best Practices: Using Terraform and CloudFormation to Enforce Tags (opens in new tab)

(cloudforecast.io)

63 pointstoeknee1235y ago25 comments

25 comments

17 comments · 6 top-level

ldoughty5y ago· 7 in thread

I really dislike that the solutions for AWS tag shortcomings is custom code.

I'm a big AWS fan and heavy user for 5 years now, but it seems silly to me that you need to write a custom wrapper (e.g. force the creation through a managed script/template like Terraform/Ansible/CF)... Or write reactionary cloud trail policies to handle a situation where someone launches an EC2 instance without providing a specific tag.

The fact IAM policies still can't deny requests missing a tag, or deny requests by tag-value condition seems silly to me... Or one step further: allowing some auto-populated tags like what principle was responsible for making the instance in the first place.

twunde5y ago

FYI, IAM policies do support tag-based access control: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.... This was introduced in the past 1-2 years.

ldoughty5y ago

That is access control when tags exist...

You can't, for example, deny an EC2 instance creation of it is NOT tagged with Key X. The recommendation is to watch cloud trail and post-creation, terminate it.

Creation events for EC2 do. It support tags, it's actually a 2 step process (the GUI console hides this, the SDK and IAM policy limits make this clear)

1 more reply

donavanm5y ago

> The fact IAM policies still can't deny requests missing a tag, or deny requests by tag-value condition seems silly to me...

Am I missing something here? I could have sworn that aws:RequestTag with a “Tag On Create” Actions would enforce the authorization check based on the in the Tags parameter? Similarly aws:TagKeys allows you to control the permitted values of those Tags.

> allowing some auto-populated tags like what principle was responsible for making the instance in the first place.

These do exist as “system tags”, but its on a per service basis. Migration Hib and ECS come to mind. I dont know of any cross cutting application (like IAM) where theyre applied universally.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags... https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags... https://aws.amazon.com/about-aws/whats-new/2020/04/aws-migra...

chrisoverzero5y ago

> The fact IAM policies still can't deny requests missing a tag, or deny requests by tag-value condition seems silly to me...

Can't it, though?

  "Condition": {
    "StringEquals": {
      "aws:RequestTag/key1": "value1",
      "aws:RequestTag/key2": "value2"
    },
    "ForAllValues:StringEquals": {
      "aws:TagKeys": [
        "key1",
        "key2"
      ]
    }
  }

wernerb5y ago

The problem is that all IAM conditionals just give a generic "Denied" statement which is hard to debug. You at left figuring out if you are missing a uppercase character in your tag key. AWS IAM is currently not meant to be used in a devops/enforcement of best practices way. They have AWS config for that, but that's always after the fact while immediate feedback is what you need to function at scale.

A possible fix is to allow custom deny reasons but large changes like this to any already extremely large and entangled system like IAM is unlikely.

1 more reply

mmbleh5y ago

Kinda, but it isn't consistent.

They've been steadily improving/fixing it, but for some resources, tagging new resources via the console is a 2 step process - it creates the resource THEN adds the tags. They are fixing these things so it's all added at once.

What this does is block the ability to create some resources via console since you can't add tags at creation

1 more reply

ldoughty5y ago

EC2, last I checked, does not allow tag conditionals at instance creation. You can have tag controls afterwards, but the instance creation call does not support tagging (the GUI masks this)

yonixw5y ago· 2 in thread

Tags are not supported for some VPC components (on creation). In that sense, Azure Resource Group and Google Projects is way better for organising and project based permissions.

Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Ta...

acdha5y ago

Can you provide a more detailed comparison? I've run into a variety of GCP services which can't be labeled so I'm curious that this would be described as “way better”.

yonixw5y ago

Let's say I want to create an IAM to allow creation for a specific project (Full deploy), I can't enforce it on VPC.

mcintyre19945y ago· 1 in thread

Something that's pretty nice in AWS CDK is that tagging is recursive - so if you add a tag to eg. a top-level ECS service object then the tags are applied to all of its children automatically. https://docs.aws.amazon.com/cdk/latest/guide/tagging.html

acdha5y ago

There's a long-running Terraform issue for the equivalent if you want to chime in:

https://github.com/terraform-providers/terraform-provider-aw...

kapilvt5y ago· 1 in thread

This is one of the bread butter use cases on the opensource cloud custodian project (auto tagging, tag enforcement workflows, retro-active tagging from cloudtrail, etc). https://cloudcustodian.io (now a cncf sandbox project).

toeknee123OP5y ago

100% agree. We're big fans of CloudCustodian and use it ourselves. However, it can be tough for some org to get approval with using open source tools.

tthayer5y ago

We use cloudposse's label terraform module for everything. It works really well and it lets you use common values for everything. Paired with terragrunt it removes most of the pain of tagging for us.

nprateem5y ago

Use a tag policy and you can use whatever tool you want

j / k navigate · click thread line to collapse

25 comments

17 comments · 6 top-level

ldoughty5y ago· 7 in thread

I really dislike that the solutions for AWS tag shortcomings is custom code.

twunde5y ago

FYI, IAM policies do support tag-based access control: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.... This was introduced in the past 1-2 years.

ldoughty5y ago

That is access control when tags exist...

You can't, for example, deny an EC2 instance creation of it is NOT tagged with Key X. The recommendation is to watch cloud trail and post-creation, terminate it.

Creation events for EC2 do. It support tags, it's actually a 2 step process (the GUI console hides this, the SDK and IAM policy limits make this clear)

1 more reply

donavanm5y ago

> The fact IAM policies still can't deny requests missing a tag, or deny requests by tag-value condition seems silly to me...

> allowing some auto-populated tags like what principle was responsible for making the instance in the first place.

These do exist as “system tags”, but its on a per service basis. Migration Hib and ECS come to mind. I dont know of any cross cutting application (like IAM) where theyre applied universally.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags... https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags... https://aws.amazon.com/about-aws/whats-new/2020/04/aws-migra...

chrisoverzero5y ago

> The fact IAM policies still can't deny requests missing a tag, or deny requests by tag-value condition seems silly to me...

Can't it, though?

  "Condition": {
    "StringEquals": {
      "aws:RequestTag/key1": "value1",
      "aws:RequestTag/key2": "value2"
    },
    "ForAllValues:StringEquals": {
      "aws:TagKeys": [
        "key1",
        "key2"
      ]
    }
  }

wernerb5y ago

A possible fix is to allow custom deny reasons but large changes like this to any already extremely large and entangled system like IAM is unlikely.

1 more reply

mmbleh5y ago

Kinda, but it isn't consistent.

What this does is block the ability to create some resources via console since you can't add tags at creation

1 more reply

ldoughty5y ago

EC2, last I checked, does not allow tag conditionals at instance creation. You can have tag controls afterwards, but the instance creation call does not support tagging (the GUI masks this)

yonixw5y ago· 2 in thread

Tags are not supported for some VPC components (on creation). In that sense, Azure Resource Group and Google Projects is way better for organising and project based permissions.

Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Ta...

acdha5y ago

Can you provide a more detailed comparison? I've run into a variety of GCP services which can't be labeled so I'm curious that this would be described as “way better”.

yonixw5y ago

Let's say I want to create an IAM to allow creation for a specific project (Full deploy), I can't enforce it on VPC.

mcintyre19945y ago· 1 in thread

acdha5y ago

There's a long-running Terraform issue for the equivalent if you want to chime in:

https://github.com/terraform-providers/terraform-provider-aw...

kapilvt5y ago· 1 in thread

toeknee123OP5y ago

100% agree. We're big fans of CloudCustodian and use it ourselves. However, it can be tough for some org to get approval with using open source tools.

tthayer5y ago

We use cloudposse's label terraform module for everything. It works really well and it lets you use common values for everything. Paired with terragrunt it removes most of the pain of tagging for us.

nprateem5y ago

Use a tag policy and you can use whatever tool you want

j / k navigate · click thread line to collapse