1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
Hello @Serhii!
Yes it's possible to deny actions on tagged resources, but the condition is different. I got it to work with the following condition:
"Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" }
The following example policy denies anyone who has it attached of deleting S3 objects in a specific bucket if object is tagged with env:prod.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::your-bucket/*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" } } } ] }
This is an IAM policy, so make sure that you attach it to roles, groups or users that you want to prevent from taking actions on the tagged resources.
If you want an S3 resource policy, it's a little different, you must specify the principal:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" } } } ] }
Hope this help you,
Let me know if have any further questions.
répondu il y a 9 mois
Contenus pertinents
- demandé il y a 4 mois
- demandé il y a 6 mois
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 3 ans