EC2 - auto-tag aws userName on resources

• Note that this can work for other resources besides EC2, and the principalId is optional. principalId tag is useful if you want to enforce users not being able to shut down each others VMs unless their principalId matches (meaning they originally spun up the resource). Documentation about principalId here: https://aws.amazon.com/blogs/security/how-to-automatically-tag-amazon-ec2-resources-in-response-to-api-events/

  policies:
  - name: ec2-auto-tag-user
    resource: ec2
    mode:
      type: cloudtrail
      role: arn:aws:iam::{account_id}:role/custodian-auto-tagger
      # note {account_id} is optional. If you put that there instead of
      # your actual account number, when the policy is provisioned it
      # will automatically inherit the account_id properly
      events:
        - RunInstances
    filters:
      - tag:CreatorName: absent
    actions:
      - type: auto-tag-user
        tag: CreatorName
        principal_id_tag: CreatorId