Elastic Compute Service:Enable fine-grained permission management for resources by using tags

Security risks

Tags provide a more flexible way to classify resources than resource groups. You can add multiple tags to a single resource to classify it by dimensions such as region, department, or environment. While resources can be viewed by product, such as ECS computing resources, Object Storage Service (OSS) storage resources, or VPC network resources, tags allow you to view them from a user-centric perspective. This lets you distinguish resources across multiple dimensions and implement access control based on these tags.

Best practices

To manage access policies by business function, you can add tags to resources that have the same business property. Then, you can use these tags in a RAM access policy to constrain access to those resources.

For example, consider a group of ECS instances used for a database deployment. These instances must not be attached to public IP addresses. To enforce this rule:

1) Add a tag to this group of ECS instances, such as function:database.

2) In the following sample RAM policy, use acs:ResourceTag/function:database to constrain the Resource element.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",   #Deny
      "Action": [
        "ecs:ModifyInstanceNetworkSpec",    #Modify instance network specification
        ... ... #Content omitted
      ],
      "Resource": "acs:ecs:*:*:instance/*",   #All ECS instances
      "Condition": {
        "StringEquals": {
          "acs:ResourceTag/function:database": ["*"]   #Has the function:database tag
        },
        "Bool": {
          "ecs:AssociatePublicIpAddress": ["true"]   #Attach a public IP address
      }
    }
  ]
}

Result: A public IP address cannot be attached to ECS instances that have the function:database tag when you use the ModifyInstanceNetworkSpec operation to modify their network configurations.