S3 Post Policy with Tags

Question

Is it possible to create an S3 post policy from server along with object tags so that a client can upload to the S3 bucket? I don't want the client to be able to specify tags, or change the tags. I only want the server to handle that.

Everything I read seems to be that the client sends the tags when posting. The end goal is so that I can filter the bucket based on tags. I can set meta data from the post policy but not sure how to filter off meta data.

Thank you.

Answer

It may be possible to do this by having a bucket policy that allows only those with a specific IAM role to manipulate tags.  
If the server you are talking about is EC2, then IAM roles could be in effect to restrict it.  
https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html  
For example, you can set up a bucket policy as follows to allow tag operations only from EC2s using a specific IAM role.  
```
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:PutObjectTagging",
          "Resource": "arn:aws:s3:::S3-Bucket-Name/*",
          "Condition": {
              "StringLike": {
                  "aws:userId": [
                      "AROAxxxxxxxxxxxxxxVAI:*"
                  ]
              }
          }
      }
  ]
}
```

AROAxxxxxxxxxxxxxxxxxxxxVAI" can be checked with the following command.  
```
aws iam get-role --role-name IAM Role Name
```

S3 Post Policy with Tags

Relevanter Inhalt