Use case of tags

Tags can be used to name, define, manage, and more for many resources in AWS. Tags will be used in Cyber.AWS to provide infrastructure support and manage users' machines.

Cyber.AWS Tagging Scheme (Rough Draft)

Policies based on tagging

Prevent users from deleting certain machines

This can be used to create infrastructure machines with a tag of Production or Infrastructure and regular users would not be able to delete them

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyDeleteProductionAndInfrastructureResources",
      "Effect": "Deny",
      "Action": [
        "ec2:TerminateInstances",
        "s3:DeleteBucket",
        "s3:DeleteObject",
        "rds:DeleteDBInstance"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": [
            "environment",
            "infrastructure"
          ]
        }
      }
    }
  ]
}

Prevent Users from adding or deleting Infrastructure and Production Tags

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyTagInfrastructureAndProduction",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "s3:PutBucketTagging",
                "s3:DeleteBucketTagging",
                "sqs:TagQueue",
                "sqs:UntagQueue"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "Infrastructure",
                        "Production"
                    ]
                }
            }
        }
    ]
}