En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Is it possible use tags on AWS S3 objects in AWS IAM policies?

0

Hello! I created policy

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "DenyAllTagProd",
			"Effect": "Deny",
			"Action": [
				"*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/env": "prod"
				}
			}
		}
	]
}

Attached it to my IAM user with several other policies, that grant all needed permissions, for S3, I have attached AmazonS3FullAccess. And figured out, that I have protected most part of my resources, such as EC2 instances, ALB, TargetGroup, IAM Roles, and CloudFront Distributions. With these resources, all works fine, but I still can remove objects and S3 Buckets tagged by env: prod. I have looked in the documentation and just google this issue, but can't find a solution or explanation of how to resolve this. Could someone help with this issue?

Sujets
Sécurité, identité et conformité
Balises
Politiques IAM
Langue
English
Serhii
demandé il y a 9 mois272 vues
1 réponse
0

Hello @Serhii!

Yes it's possible to deny actions on tagged resources, but the condition is different. I got it to work with the following condition:

            "Condition": {
                "StringEqualsIfExists": {
                    "aws:RequestTag/env": "prod"
                }

The following example policy denies anyone who has it attached of deleting S3 objects in a specific bucket if object is tagged with env:prod.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::your-bucket/*",
            "Condition": {
                "StringEqualsIfExists": {
                    "aws:RequestTag/env": "prod"
                }
            }
        }
    ]
}

This is an IAM policy, so make sure that you attach it to roles, groups or users that you want to prevent from taking actions on the tagged resources.

If you want an S3 resource policy, it's a little different, you must specify the principal:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEqualsIfExists": {
          "aws:RequestTag/env": "prod"
        }
      }
    }
  ]
}

Hope this help you,

Let me know if have any further questions.

Arthur Lopes
répondu il y a 9 mois
profile pictureAWS
EXPERT
Jose Guay
vérifié il y a 9 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents