Este contenido no está disponible en el idioma seleccionado

Trabajamos constantemente para que el contenido esté disponible en el idioma seleccionado. Gracias por tu paciencia.

How do I create an IAM policy for tag based restriction with the PrincipalTag, ResourceTag, RequestTag and TagKeys condition keys?

4 minutos de lectura

I want to create an AWS Identity and Access Management (IAM) policy for tag-based restriction. How do I use the PrincipalTag, ResourceTag, RequestTag, and TagKeys condition keys?

Short description

Use the following IAM example policies to create tag-based restriction with condition keys for your use case.

Resolution

PrincipalTag condition key

The aws:PrincipalTag condition key is used to match the tag attached to the principal making the request with the tag in the IAM policy. The value of the PrincipalTag key is compared with the value of the IAM tag with matching tag key if present on the request's principal.

The following example IAM policy provides restriction for an Amazon Simple Storage Service (Amazon S3) bucket. The Amazon S3 PutObject action denied permission to the bucket to all users except those with the title "Product-Manager".

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllButProductManagers",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::productionbucket/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalTag/job-title": "Product-Manager"
        }
      }
    }
  ]
}

ResourceTag condition key

The aws:ResourceTag/tag-key condition key compares the tag key-value pair specified in the IAM policy with the key-value pair that's attached to the AWS resource. For more information, see Controlling access to AWS resources.

During the IAM policy evaluation, the ResourceTag tag is compared with the IAM tag. The value of the ResourceTag key is compared with the value of the IAM tag with the matching key-value pair, if present for the AWS resource. This condition key can be used with global version aws:ResourceTag and AWS services such as ec2:ResourceTag. For more information, see Actions, resources, and condition keys for AWS services.

The following example IAM policy allows users to start, stop, and terminate instances that are in the "test" environment.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOnlyForTestEnvironment",
      "Effect": "Allow",
      "Action": [
        "ec2:TerminateInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/Env": "test"
        }
      }
    }
  ]
}

RequestTag condition key

The aws:RequestTag/tag-key condition key used to compare the key-value pair passed in the user request with the tag pair specified in the IAM policy. The condition key is available for actions that create a resource or tag on a resource, and checks the value of the tag.

For example, see the following IAM policy. It enforces users to create a specific tag "Env" with values "Dev", "Prod" or "QA" when creating an Amazon Elastic Block Store (Amazon EBS) volume.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCreateVolumeWithEnvTag",
      "Effect": "Allow",
      "Action": "ec2:CreateVolume",
      "Resource": "arn:aws:ec2:*:*:volume/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Env": [
            "Dev",
            "Prod",
            "QA"
          ]
        }
      }
    }
  ]
}

TagKeys condition key

The aws:TagKeys condition key is used to compare the tag keys in a request with the keys specified in the IAM policy. The value of the TagKeys key is compared with the list of tags in the AWS resource request. The TagKeys condition key is used to validate the tag-keys attached to a resource.

Because you can define multiple tag key-value pairs in a request, the request can have multiple values. These values can be compared using the ForAllValues or ForAnyValue set operators.

The following example policy restricts the tags created on an AWS resource. The "Env" and "CostCenter" tags are the only tag keys that users can create with a new Amazon EBS volume. Using the ForAllValues set operator with aws:TagKeys restricts users to attach only the required tags on the AWS resource. This doesn't require users to provide these tag keys in the resource creation request, but it prevents users from creating tags with other key-value pairs.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "ec2:CreateVolume",
      "Resource": "arn:aws:ec2:*:*:volume/*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "Env",
            "CostCenter"
          ]
        }
      }
    }
  ]
}

Related information

IAM tutorial: Define permissions to access AWS resources based on tags

Controlling access during AWS requests

Temas

Seguridad, identidad y cumplimiento

Etiquetas

AWS Identity and Access Management

Idioma

English

OFICIAL DE AWSActualizada hace 5 meses

Sin comentarios

Contenido relevante

¿El uso de IAM Identity Center afecta a mis identidades de IAM o a mi configuración de federación?
OFICIAL DE AWSActualizada hace 5 meses
¿Cómo puedo solucionar el error de AWS STS “the security token included in the request is expired” (el token de seguridad incluido en la solicitud ha caducado) cuando uso AWS CLI para asumir un rol de IAM?
OFICIAL DE AWSActualizada hace un año
¿Cómo puedo crear una regla de eventos de EventBridge para que me notifique que se utilizó mi cuenta de usuario raíz de AWS?
OFICIAL DE AWSActualizada hace un año
He agregado etiquetas a mis recursos de AWS, pero mi política de IAM no funciona. ¿Qué servicios de AWS son compatibles con etiquetas basadas en autorizaciones?
OFICIAL DE AWSActualizada hace un año