tagging：阻止标记被修改，除非由授权委托人修改

使用了基于属性的访问控制（ABAC）的方法，为资源都添加了标签以后，如果随意修改标签可能导致访问控制失效。

通过该策略可以阻止未授权人员修改标签，确保ABAC访问控制有效。

替换<principalarn>为能执行操作的用户或者角色的arn，比如："arn:aws:iam::123456789012:role/org-admins/iam-admin";

替换<tag-key>为给ec2添加的标签，比如：access-project，这样如果这个标签是存在值的情况下，则不允许修改。除非principalarn这个用户或者角色来操作。

"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch"这个指，如果标签没有值并且请求主体是指定的主体，则可以修改ec2的标签；

"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch"这个指，如果请求主体的标签和资源的标签匹配才能修改标签。

"Sid": "DenyModifyTagsIfPrinTagNotExists"这个指，如果请求主体的标签存在才能修改标签属性。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": "<principalarn>"
                },
                "Null": {
                    "ec2:ResourceTag/<tag-key>": false
                }
            }
        },
        {
            "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestTag/<tag-key>": "${aws:PrincipalTag/<tag-key>}",
                    "aws:PrincipalArn": "<principalarn>"
                },
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "<tag-key>"
                    ]
                }
            }
        },
        {
            "Sid": "DenyModifyTagsIfPrinTagNotExists",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": "<principalarn>"
                },
                "Null": {
                    "aws:PrincipalTag/<tag-key>": true
                }
            }
        },
        {
            "Sid": "ProtectDataPerimeterTags",
            "Effect": "Deny",
            "Action": [
                "iam:TagRole",
                "iam:TagUser",
                "iam:UntagRole",
                "iam:UntagUser",
                "config:TagResource",
                "config:UntagResource"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": "<principalarn>"
                },
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "network-perimeter-exception",
                        "resource-perimeter-exception",
                        "identity-perimeter-exception",
                        "data-perimeter-include",
                        "team",
                        "cost-center",
                        "owner",
                        "workload",
                        "pii",
                        "pii-type",
                        "sensitivity",
                        "protect"
                    ]
                }
            }
        }
    ]
}