I want to use AWS Identity and Access Management (IAM) policies with tag-based access control to restrict access to objects in an Amazon Simple Storage Service (Amazon S3) bucket.
Resolution
The following policies are examples of how you can use object tags to control access to Amazon S3 bucket objects.
Note:
- In the following example policies, replace awsexamplebucket with your S3 bucket name. Also, replace the CreationDate, Owner, security, and environment tag keys with your tag keys.
- The CreateBucket API doesn't support tags.
- Use the PutBucketTagging API to add tags to the bucket that you create.
- Amazon S3 supports tag-based authorization for only object resources.
Use an identity-based policy to allow a user to read only the objects that have a specific tag and key value
The following identity-based policy grants s3:GetObject permission to the awsexamplebucket1 bucket and all objects in the bucket. The policy uses the s3:ExistingObjectTag condition to restrict access to only the objects that have the security: public key-value pair:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::awsexamplebucket1/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/security": "public"
}
}
}
]
}
Use an identity-based policy to restrict the object tag keys that users can add
The following identity-based policy restricts the tag keys that users can add to objects in the awsexamplebucket bucket. Users can add only tags with the Owner or CreationDate keys. When you control the tag keys that users can add to objects, you maintain a consistent tagging scheme for the bucket's objects:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::awsexamplebucket1/*",
"Condition": {
"ForAllValues:StringLike": {
"s3:RequestObjectTagKeys": [
"Owner",
"CreationDate"
]
}
}
}
]
}
Use a bucket policy to allow a user to read only the objects that have a specific tag and key
The following bucket policy allows a user to read only the objects that have the environment: production key-value pair. The policy uses the s3:ExistingObjectTag condition key to specify the key-value pair:
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/JohnDoe"
]
},
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::awsexamplebucket/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/environment": "production"
}
}
}
]
}
Use a bucket policy to restrict the object tag keys that users can add to an object
The following bucket policy restricts the tag keys that users can add to objects in the awsexamplebucket bucket. Users can add only tags with the Owner or CreationDate keys. When you control the tag keys that users can add to objects, you maintain a consistent tagging scheme for the bucket's objects:
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/JohnDoe"
]
},
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket*"
],
"Condition": {
"ForAllValues:StringEquals": {
"s3:RequestObjectTagKeys": [
"Owner",
"CreationDate"
]
}
}
}
]
}