Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Is it possible use tags on AWS S3 objects in AWS IAM policies?

0

Hello! I created policy

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "DenyAllTagProd",
			"Effect": "Deny",
			"Action": [
				"*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/env": "prod"
				}
			}
		}
	]
}

Attached it to my IAM user with several other policies, that grant all needed permissions, for S3, I have attached AmazonS3FullAccess. And figured out, that I have protected most part of my resources, such as EC2 instances, ALB, TargetGroup, IAM Roles, and CloudFront Distributions. With these resources, all works fine, but I still can remove objects and S3 Buckets tagged by env: prod. I have looked in the documentation and just google this issue, but can't find a solution or explanation of how to resolve this. Could someone help with this issue?

Temas
Seguridad, identidad y cumplimiento
Etiquetas
Políticas de IAM
Idioma
English
Serhii
preguntada hace 9 meses270 visualizaciones
1 Respuesta
0

Hello @Serhii!

Yes it's possible to deny actions on tagged resources, but the condition is different. I got it to work with the following condition:

            "Condition": {
                "StringEqualsIfExists": {
                    "aws:RequestTag/env": "prod"
                }

The following example policy denies anyone who has it attached of deleting S3 objects in a specific bucket if object is tagged with env:prod.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::your-bucket/*",
            "Condition": {
                "StringEqualsIfExists": {
                    "aws:RequestTag/env": "prod"
                }
            }
        }
    ]
}

This is an IAM policy, so make sure that you attach it to roles, groups or users that you want to prevent from taking actions on the tagged resources.

If you want an S3 resource policy, it's a little different, you must specify the principal:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEqualsIfExists": {
          "aws:RequestTag/env": "prod"
        }
      }
    }
  ]
}

Hope this help you,

Let me know if have any further questions.

Arthur Lopes
respondido hace 9 meses
profile pictureAWS
EXPERTO
Jose Guay
revisado hace 9 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante