我正在尝试对我们的 AWS 账户中的所有资源实施强制标记,以改进成本管理和组织。虽然 AWS 支持标记,但某些资源(尤其是通过 AWS 管理控制台创建的资源)默认情况下不需要标记,这很容易被忽视。
如果资源不包含特定标签,我想阻止资源的创建。这是我到目前为止所探索的内容:
AWS Organizations 中的标记策略:这些策略可以标记不合规的资源,但不能阻止其创建。 服务控制策略 (SCP):我尝试使用 SCP 来强制执行此操作,但我不确定它们是否可以在没有所需标签的情况下直接阻止资源创建。 AWS Config 规则:Config 可以在创建资源后检测不合规情况,但修复是被动的而不是预防性的。 我当前的 SCP 配置 这是我尝试实现的 SCP:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyResourceCreationWithoutAllTags", "Effect": "Deny", "Action": [ "ec2:RunInstances", "rds:CreateDBInstance", "eks:CreateCluster", "lambda:CreateFunction", "dynamodb:CreateTable", "cloudformation:CreateStack", "elasticbeanstalk:CreateEnvironment", "elasticbeanstalk:CreateApplication" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/Account": "true", "aws:RequestTag/Division": "true", "aws:RequestTag/Environment": "true" } } }, { "Sid": "DenyResourceCreationWithEmptyTagValues", "Effect": "Deny", "Action": [ "ec2:RunInstances", "rds:CreateDBInstance", "eks:CreateCluster", "lambda:CreateFunction", "dynamodb:CreateTable", "cloudformation:CreateStack", "elasticbeanstalk:CreateEnvironment", "elasticbeanstalk:CreateApplication", "s3:CreateBucket" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/Account": "", "aws:RequestTag/Division": "", "aws:RequestTag/Environment": "" } } }, { "Sid": "EnforceSpecificTagValues", "Effect": "Deny", "Action": [ "ec2:RunInstances", "rds:CreateDBInstance", "eks:CreateCluster", "lambda:CreateFunction", "dynamodb:CreateTable", "cloudformation:CreateStack", "elasticbeanstalk:CreateEnvironment", "elasticbeanstalk:CreateApplication", "s3:CreateBucket" ], "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:RequestTag/Account": [ "Audit", "Automation", "Backup", "Delegated", "Egress", "Finops", "Inspection", "Logs-archive", "MFA", "Network", "Sandbox", "Shared-services", "Tekes", "Tekes-dev", "Workspaces", "Cnapp" ], "aws:RequestTag/Division": [ "Information technology communication services", "Applications Development Division", "Cyber Security Technologies Bureau" ], "aws:RequestTag/Environment": [ "production", "development", "test" ] } } } ] }问题:
如果特定标签丢失或为空,此 SCP 是阻止资源创建的正确方法吗? 是否有更好的解决方案来在资源创建期间强制执行强制标记(例如,我可能忽略的本机 AWS 功能)? 如何扩展它以涵盖所有资源类型,而不仅仅是那些明确列出的资源类型? 我正在寻找预防措施来完全阻止不合规资源的创建。任何指导或最佳实践将不胜感激!
在 AWS 中实施强制标记以改善成本管理和组织绝对是一个挑战,但您的 SCP 方式是正确的。
SCP 是一种在没有特定标签的情况下阻止资源创建的可靠方法,使它们主动而不是被动,但问题是,如果未指定服务操作,则 SCP 将不会应用,因此您需要列出要执行的所有操作涵盖所有内容,并且仅适用于在创建时支持标记的服务。
没有适合在所有服务的资源创建过程中强制执行强制标记的 AWS 服务,但您可以将其他一些服务与 SCP 一起使用,这可以增强此主题:
这种方式中最好的服务是 AWS Config,您可以使用所需标签等配置规则来检测甚至自动修复不合规情况。这对于 SCP 未涵盖的服务非常有效,尽管它是被动的。
您还可以通过
adding more services and actions to the Action list. Use wildcards like ec2:* or s3:* where it makes senseuse *:TagResource in your SCP. This covers tagging actions directly这是您的政策的增强版本:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourceCreationWithoutAllTags",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance",
"eks:CreateCluster",
"lambda:CreateFunction",
"dynamodb:CreateTable",
"cloudformation:CreateStack",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:CreateApplication",
"s3:CreateBucket",
"*:TagResource"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Account": "true",
"aws:RequestTag/Division": "true",
"aws:RequestTag/Environment": "true"
}
}
},
{
"Sid": "DenyResourceCreationWithEmptyTagValues",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance",
"eks:CreateCluster",
"lambda:CreateFunction",
"dynamodb:CreateTable",
"cloudformation:CreateStack",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:CreateApplication",
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Account": "",
"aws:RequestTag/Division": "",
"aws:RequestTag/Environment": ""
}
}
},
{
"Sid": "EnforceSpecificTagValues",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance",
"eks:CreateCluster",
"lambda:CreateFunction",
"dynamodb:CreateTable",
"cloudformation:CreateStack",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:CreateApplication",
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:RequestTag/Account": [
"Audit", "Automation", "Backup", "Delegated", "Egress",
"Finops", "Inspection", "Logs-archive", "MFA", "Network",
"Sandbox", "Shared-services", "Tekes", "Tekes-dev",
"Workspaces", "Cnapp"
],
"aws:RequestTag/Division": [
"Information technology communication services",
"Applications Development Division",
"Cyber Security Technologies Bureau"
],
"aws:RequestTag/Environment": [
"production", "development", "test"
]
}
}
}
]
}
作为简历,SCP 是强制标记的好工具,但在本主题中将其与
AWS Config