Create SCP exemptions

Question

Hi I am trying to create a policy that restrict uploading objects without encryption, also want to create an exemption for certain buckets tagged with reserved tag `exempted` this doesn't seem to work, i think the reason probably is that tags at the bucket level are not checked when object resource is being added.

Is there an alternative to create SCP exemptions at bucket level?

```
    {
      "Sid": "DenyNoEncryption",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256",
          "aws:ResourceTag/exempted": "yes"
        }
      }
    }
```

Answer

Try this, let me know if this resolves your issue.

[Curated SCPs and Config Rules](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/scp-library-compliance.html)

### SCP: Restrict S3 uploads

Prevent uploads of unencrypted S3 objects.

```
{
            "Sid": "DenyUnencryptedS3Uploads",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "s3:x-amz-server-side-encryption": ["aws:kms", "AES256"]
                },
                "Null": {
                    "s3:x-amz-server-side-encryption": "false"
                }
            }
        }
    ]
}
```

Create SCP exemptions

SCP: Restrict S3 uploads

Contenuto pertinente