0

Why? Because I want these users to be able to create resources at will on my AWS account, but only be able to see and use the resources created by their own group.

I know it's possible to restrict the seeing / using / managing part per group by resource tag using policies, but I also want them to be able to create instances with the appropriated tag automatically, so that they don't accidentally or maliciously leave the tag out or specify another group's tag.

Is this possible? If so, how? Otherwise, what's the closest alternative I have?

(Related question I made before: How to allow IAM groups to create, see, and manage their own instances and nothing else?)

Community
  • 1
Gui Prá
  • 121
  • 6
  • I don't believe it's possible. The closest alternative is the consolidated billing. – ceejayoz Jul 13 '16 at 15:15
  • Bummer! The problem with consolidated billing is that each account requires a new e-mail, so if I could do it with IAM users only, that would be easier to manage. I agree with you it's likely not currently possible, but I'll wait for a more definitive answer and will go with consolidated billing if it's really not possible. Thanks! – Gui Prá Jul 13 '16 at 15:21
  • Maybe you can use [AWS Config Rules](https://aws.amazon.com/blogs/aws/aws-config-rules-dynamic-compliance-checking-for-cloud-resources/) for this? I haven't gotten the opportunity to use it myself yet but you should be able to create your own custom rules and for example terminate an instance that is created without the required tags. – Bazze Jul 13 '16 at 19:36

1 Answers1

0

It is technically impossible, at least now:

Note that because you can't tag a resource when you create it, you can't use any of the tag condition keys with a resource that's created by an action.

From here. But here is a workaround, requires Lambda and CloudWatch (available for some regions only): article

Putnik
  • 2,217
  • 4
  • 27
  • 43