1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
0
Hello @Serhii!
Yes it's possible to deny actions on tagged resources, but the condition is different. I got it to work with the following condition:
"Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" }
The following example policy denies anyone who has it attached of deleting S3 objects in a specific bucket if object is tagged with env:prod.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::your-bucket/*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" } } } ] }
This is an IAM policy, so make sure that you attach it to roles, groups or users that you want to prevent from taking actions on the tagged resources.
If you want an S3 resource policy, it's a little different, you must specify the principal:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" } } } ] }
Hope this help you,
Let me know if have any further questions.
respondido hace 9 meses
Contenido relevante
- OFICIAL DE AWSActualizada hace 4 meses
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año