- 최신
- 최다 투표
- 가장 많은 댓글
Hi RoxTeo.
I think the problem might be with how you defined the policy. I'm not sure if you were redacting the policy, but actions and resources should have an asterisk (*) if you want to include all actions/resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllActionsOnControlTowerTaggedRessources",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/cloudformation:stack-name": ["StackSet-AWSControlTower*"]
}
}
}
}
Here are some examples of SCPs with tags. Also note that using StringLike will cause the condition to do case-sensitive evaluations. Per the documentation:
StringLike Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches.
Note If a key contains multiple values, StringLike can be qualified with set operators—ForAllValues:StringLike and ForAnyValue:StringLike. For more information, see Multivalued context keys.
I hope this helps.
관련 콘텐츠
AWS 공식업데이트됨 8달 전
Hi Jose,
Thank you very much for the reply. Indeed, something happed with the policy while editing the message. My policy looks exactly like the one you posted and it's part of bigger one also denying other operations on the account. For the StringLike condition, the tag starts with "StackSet-AWSControlTower" and then the is a random string.
Shouldn't this policy deny all action (e.g. name change of the ressource etc) on the identified resources?
Thank you!
I have a similar problem. I want to restrict and role, except for a specified one with wildcards, not to be able to provision, update or terminate service catalogue products, where the product being launched has a tagkey = environment and a tagvalue = prod, any other value should be allowed. With the below policy, I have tried both "ResourceTag" and RequestTag", also for the principal, I have tried "ArnNotLIke". I can only get prevent the creation, but it can still update and terminate existing provisioned products.
When using the "ResourceTag" option, I also get a warning about this problem. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-deny-with-unsupported-tag-condition-key-for-service
Any ideas?