En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Create SCP exemptions

0

Hi I am trying to create a policy that restrict uploading objects without encryption, also want to create an exemption for certain buckets tagged with reserved tag exempted this doesn't seem to work, i think the reason probably is that tags at the bucket level are not checked when object resource is being added.

Is there an alternative to create SCP exemptions at bucket level?

    {
      "Sid": "DenyNoEncryption",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256",
          "aws:ResourceTag/exempted": "yes"
        }
      }
    }
Sujets
StockageGestion et gouvernanceSécurité, identité et conformité
Balises
Simple service de stockage AmazonOrganisations AWSPolitiques IAMChiffrementPolitique de contrôle des services
Langue
English
rePost-User-2714351
demandé il y a un an481 vues
1 réponse
0

Try this, let me know if this resolves your issue.

Curated SCPs and Config Rules

SCP: Restrict S3 uploads

Prevent uploads of unencrypted S3 objects.

{
            "Sid": "DenyUnencryptedS3Uploads",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "s3:x-amz-server-side-encryption": ["aws:kms", "AES256"]
                },
                "Null": {
                    "s3:x-amz-server-side-encryption": "false"
                }
            }
        }
    ]
}
AWS
abemusa
répondu il y a un an
  • rePost-User-2714351
    il y a un an

    No this is not what i asked, i want to add an exemption when a bucket has a tag "exempted": "yes". When the tag is added to bucket i would like to NOT enforce this SCP

  • rePost-User-2714351
    il y a un an

    Yes the policy itself is working and preventing any non-encrypted uploads, but now i am trying to see if i can add an exemption

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents