Enforce tagging compliance for AWS Resources
As a cloud admin, we handle around 50 AWS accounts and 350 resources inside each accounts. Sounds strange, right? When it comes to manage all these things we should have some labels to identify what belongs to whom. Tags are there to help us out and not make a mess of anonymous resources.
Most of us know how hard it is to make users follow our (so called) tagging standards.
When it comes to follow these tags policies, user would say: “I don’t like to add tags when I create resources! Because it’s not compulsory and I can do my work without it! Then why should I?
Now by this, management may become tedious. Management won’t know which resource belongs to which department, which cost-center, which user, etc.
To make it a compulsory field, we don’t have a direct way in AWS. We need to generate reports, as example, using services like AWS Config and then force users to add tags. And trust me it’s a too tiring and endless process.
The Solution
What if I tell you we can prevent users from creation if they are violating your policy!
We can create a permission boundary and attach it to all the users and roles. This boundary will have an IAM policy that will deny users/roles to create resource if it violates any tagging standards.
We will apply this to all the newly created roles/users by default. (Using CloudWatch rules/lambda/anything you know.)
That’s it!
I didn’t get your point. How will it solve my problem??
Whenever someone will try to create resources in our account, these boundary conditions will make sure to do DENY if it’s not as per the standards. That’s why everyone has to follow it!
Not even Admin User is allowed to violate this.
Hey! You forgot
to add label. You’re not allowed to create instance!
Why permission boundary? I can do it with the IAM policy!
“How can one remove if he didn’t even notice!”
Here is the trick. We all know how IAM policy work. But most users ignore permission boundaries. (Trust me it’s tested that users ignore boundary.) And half of the users don’t have an idea of how it works. If we simply apply for IAM permission than the user will remove that.
What is Permission Boundary:
A permissions boundary is an advanced feature that allows you to limit the maximum permissions that a principal can have. It’s really boundary. Setting wall doesn’t make us owners of the Land. Similarly, setting permission boundaries doesn’t allow users to do things. However, it will surely deny users from accessing more than boundary. AWS Blog
Here is the magic:
Suppose your IAM keys are leaked! Now when someone uses that and tries to create EC2 instances using it, it won’t allow to do it! Hacker doesn’t know our tags ;)
And what if hacker creates Admin IAM role and uses that! Don’t worry, we apply boundary conditions to every role!
Every second count. So we have got some time to deactivate the keys!
Limitations:
- AWS doesn’t support authorization based on tags for all the resources. (Refer: AWS Services that work with IAM. Check Authorization Based On Tags → Yes.) But commonly used services (EC2, ELB, IAM, KMS, etc) are supported.
Did you like what you read? Recommend this post to others!
Want to share something? I would Love to hear from you!