Is it possible use tags on AWS S3 objects in AWS IAM policies?

Hello @Serhii!

Yes it's possible to deny actions on tagged resources, but the condition is different. I got it to work with the following condition:

            "Condition": {
                "StringEqualsIfExists": {
                    "aws:RequestTag/env": "prod"
                }

The following example policy denies anyone who has it attached of deleting S3 objects in a specific bucket if object is tagged with env:prod.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::your-bucket/*",
            "Condition": {
                "StringEqualsIfExists": {
                    "aws:RequestTag/env": "prod"
                }
            }
        }
    ]
}

This is an IAM policy, so make sure that you attach it to roles, groups or users that you want to prevent from taking actions on the tagged resources.

If you want an S3 resource policy, it's a little different, you must specify the principal:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEqualsIfExists": {
          "aws:RequestTag/env": "prod"
        }
      }
    }
  ]
}

Hope this help you,

Let me know if have any further questions.