Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I control access with resource tags in an IAM policy?

2 minute read
0

My resources are tagged with the correct tag key and value, but my AWS Identity and Access Management (IAM) policy isn't evaluating the tags on my resources.

Short description

IAM policies can use the global condition key aws:ResourceTag/tag-key to control access based on the resource's tag key and value. However, certain AWS services that allow tags on resources don't support access control with those tags in IAM policies. For example, you can tag Amazon Route 53 hosted zones and Amazon DynamoDB Accelerator (DAX) clusters, but you can't restrict access to those resources with tags. Additionally, even when a service supports tag-based authorization, it might only apply to specific resource types or certain API actions within that service.

To verify whether an AWS service supports access control with tags, see Services that work with IAM. In the service table, look for the services that have Yes in the ABAC column. You can also select the service name for additional documentation on authorization and access control for the service.

Resolution

If an AWS service doesn't support tag-based authorization, then check the resource-level permissions and condition keys that IAM policies support for that service.

For example, you can restrict certain Amazon Route 53 actions, such as GetHostedZone and DeleteHostedZone, to a specific Route 53 hosted zone with resource-level permissions. Include the specific resource Amazon Resource Name (ARN) directly in the IAM policy. The following IAM policy allows those actions, but only on the specified Route 53 hosted zone.

{
  "Version": "2012-10-17",
  "Statement": [
    {
            "Sid": "AllowActionsOnSpecificHostedZone”,  
            "Effect": "Allow",  
            "Action": [  
                "route53:GetHostedZone",  
                "route53:DeleteHostedZone"  
            ],  
            "Resource": "arn:aws:route53:::hostedzone/Z1R8UBAEXAMPLE"
    }
  ]
}

Note: Replace Z1R8UBAEXAMPLE with your Route 53 hosted zone ID.

For example IAM policies, see Identity and access management in Amazon Route 53 and IAM service role for DAX.

Related information

Controlling access to AWS resources using tags

Guidance for Tagging on AWS

How do I use the PrincipalTag, ResourceTag, RequestTag, and TagKeys condition keys to create an IAM policy for tag-based restriction?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
AWS OFFICIALUpdated 2 months ago
1 Comment

This article was reviewed and updated on 2026-03-06.

AWS
EXPERT
replied 2 months ago

Relevant content