EC2 - auto-tag aws userName on resources
Note that this can work for other resources besides EC2, and the principalId is optional. principalId tag is useful if you want to enforce users not being able to shut down each others VMs unless their principalId matches (meaning they originally spun up the resource). Documentation about principalId here: https://aws.amazon.com/blogs/security/how-to-automatically-tag-amazon-ec2-resources-in-response-to-api-events/
policies: - name: ec2-auto-tag-user resource: ec2 mode: type: cloudtrail role: arn:aws:iam::{account_id}:role/custodian-auto-tagger # note {account_id} is optional. If you put that there instead of # your actual account number, when the policy is provisioned it # will automatically inherit the account_id properly events: - RunInstances filters: - tag:CreatorName: absent actions: - type: auto-tag-user tag: CreatorName principal_id_tag: CreatorId