undefined | Better HN

0 pointsldoughty5y ago0 comments

That is access control when tags exist...

You can't, for example, deny an EC2 instance creation of it is NOT tagged with Key X. The recommendation is to watch cloud trail and post-creation, terminate it.

Creation events for EC2 do. It support tags, it's actually a 2 step process (the GUI console hides this, the SDK and IAM policy limits make this clear)

0 comments

1 comments · 1 top-level

twunde5y ago

Ah, what you're looking for is SCP (service control policies). And AWS even has a handy example for denying creation when a tag is missing: https://docs.aws.amazon.com/organizations/latest/userguide/o...

j / k navigate · click thread line to collapse