How do you set default tags when creating an EC2 instance?

Question

I'm trying to fine a way to add default tags when someone on the account tries to create an EC2 instance. Right now I have set rules which only monitors if the tags have been created.

I need something that when an instance is created they must fill in the tag and then can go on to launch the instance. Is this possible? If so how?

I have searched online and there hasn't been anything which does exactly what I want.

I had a look at: https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/

I then made a policy (below) but it still didn't work.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowCreateTaggedVolumes",
        "Effect": "Allow",
        "Action": "ec2:CreateVolume",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:RequestTag/Name": "",
                "aws:RequestTag/Owner": "",
                "aws:RequestTag/Project": "",
                "aws:RequestTag/Schedule": ""
            },
            "ForAllValues:StringEquals": {
                "aws:TagKeys": [
                    "Name",
                    "Owner",
                    "Project",
                    "Schedule"
                ]
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateTags"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:CreateAction": "CreateVolume"
            }
        }
    }
]
}

Answer 1

I have simulated the same scenario using the below policy cod where The following example policy allows a user to launch an EC2 instance and create an EBS volume only if the user applies all the tags that are defined in the policy using the qualifier ForAllValues (Key1 & Key2). If the user applies any tag that is not included in the policy, the action is denied. T

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowToDescribeAll",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*"
        ],
        "Resource": "*"
    },
    {
        "Sid": "AllowRunInstances",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:*::image/*",
            "arn:aws:ec2:*::snapshot/*",
            "arn:aws:ec2:*:*:subnet/*",
            "arn:aws:ec2:*:*:network-interface/*",
            "arn:aws:ec2:*:*:security-group/*",
            "arn:aws:ec2:*:*:key-pair/*"
        ]
    },
    {
        "Sid": "AllowRunInstancesWithRestrictions",
        "Effect": "Allow",
        "Action": [
            "ec2:CreateVolume",
            "ec2:RunInstances"
        ],
        "Resource": [
            "arn:aws:ec2:*:*:volume/*",
            "arn:aws:ec2:*:*:instance/*"
        ],
        "Condition": {
            "StringEquals": {
                "aws:RequestTag/key1": "value1",
                "aws:RequestTag/key2": "value2"
            },
            "ForAllValues:StringEquals": {
                "aws:TagKeys": [
                    "key1",
                    "key2"
                ]
            }
        }
    },
    {
        "Sid": "AllowCreateTagsOnlyLaunching",
        "Effect": "Allow",
        "Action": [
            "ec2:CreateTags"
        ],
        "Resource": [
            "arn:aws:ec2:*:*:volume/*",
            "arn:aws:ec2:*:*:instance/*"
        ],
        "Condition": {
            "StringEquals": {
                "ec2:CreateAction": "RunInstances"
            }
        }
    }
]
}

Added Storage

No Tags Added

Failed to Launch without Tags

Required Tags Added

Launch Started with Tag Value

AWS Reference Guide