Account Segmentation - TannerWeinacker/Capstone GitHub Wiki

Tags

Assign metadata to each resource in the form of a tag. A tag can be used to organize AWS resources by purpose, owner, environment, and other ways alike.

Each tag consists of a key and an optional value.
image
Source

A filter can be applied to search resources based on tags.
Tags can be applied during creation and after the fact.

IAM policies allow for tag-based resource-level permissions to implement control over the users and groups that can tag resources on creation.

Control over which tag keys and values are set on resources is possible

Tagging support for Amazon EC2 resources

Tag Restrictions

  • Maximum number of tags = 50
  • Each tag can only have one value
  • Tags are case-sensitive
  • You cannot terminate, stop, or delete a resource based on its tags; this must be done with resource identifiers

Attribute-based access control (ABAC)

ABAC allows for better control over which resources a user can modify, use, or delete.

Including a tag in the Condition element of the policy will allow control based on the tag.

"If you allow or deny users access to resources based on tags, you must consider explicitly denying users the ability to add those tags to or remove them from the same resources. Otherwise, it's possible for a user to circumvent your restrictions and gain access to a resource by modifying its tags."

Tag resources for billing

Tags cli

create-tags
delete-tags

Test policies created

Test

Amazon Resource Names (ARN)

ARN is a to uniquely identify AWS resources. ARN is required to specify a resource unambiguously across all of AWS, such as IAM policies.

ARN Format

arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id


partition

This is where the resource is located; a partition is a group of AWS Regions. For example:
aws - AWS Regions
aws-us-gov - AWS GovCloud (US) Regions
Essentially it is where the resource will be located geographically, if it is not specified as in China or the US, it can be in a region close by not in those countries.


service

The link in the title brings you to a reference to search for the service names
The Service identified the AWS product. Example: s3 for Amazon S3, ec2 for Amazon EC2, and so on and so forth.
Reference for Services


region

The region code. Example: us-east-1
List of regions


account-id

The ID of the AWS account that owns the resource


resource-id

The resource identifier. This can be the name or the ID of the resource or a resource path.

Policies

Helpful Account Sources

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html