Is there a way to create an AWS policy that would restrict an AWS tag name?
For example, if I wanted to create a tag namespace like:
admin.env.prod = true
user.system.profile = webserver
To prevent a user from creating a tag with name 'admin.*' but allow 'user.*' (or anything other than 'admin.*' really).
Unfortunately, not at this time. A user with the necessary permissions can set a tag value of anything on a resource as long as the tag meets the AWS tag requirements. You could write a small script using ec2-describe-tags to periodically check your resource tags for compliance to your desired policy (perhaps using a regular expression?) and notify you if a bad tag name is found.