Tags for security - Amazon EC2 Auto Scaling
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tags for security

Use tags to verify that the requester (such as an IAM user or role) has permissions to create, modify, or delete specific Auto Scaling groups. Provide tag information in the condition element of an IAM policy by using one or more of the following condition keys:

  • Use autoscaling:ResourceTag/tag-key: tag-value to allow (or deny) user actions on Auto Scaling groups with specific tags.

  • Use aws:RequestTag/tag-key: tag-value to require that a specific tag be present (or not present) in a request.

  • Use aws:TagKeys [tag-key, ...] to require that specific tag keys be present (or not present) in a request.

For example, you could deny access to all Auto Scaling groups that include a tag with the key environment and the value production, as shown in the following example.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup" ], "Resource": "*", "Condition": { "StringEquals": {"autoscaling:ResourceTag/environment": "production"} } } ] }

For more information about using condition keys to control access to Auto Scaling groups, see How Amazon EC2 Auto Scaling works with IAM.