Control access to tags
Use tags to verify that the requester (such as an IAM user or role) has permissions to add, modify, or delete tags for Auto Scaling groups.
The following example IAM policy gives the principal permission to remove only
the tag with the
key from Auto Scaling
groups.temporary
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "autoscaling:DeleteTags", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": ["
temporary
"] } } } ] }
For more examples of IAM policies that enforce constraints on the tags specified for Auto Scaling groups, see Control which tag keys and tag values can be used.
Note
Even if you have a policy that restricts your users from performing a tagging (or untagging) operation on an Auto Scaling group, this does not prevent them from manually changing the tags on the instances after they have launched. For examples that control access to tags on EC2 instances, see Example: Tagging resources in the Amazon EC2 User Guide.