IAM Policy Question using conditions

Question

Hi Team

I need to write a policy for one of the service where I dont see condition support (https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html)
For Actions in (CreateKeysAndCertificate, CreatePolicyVersion). {Dependent Actions/Conditions are not supported for these permissions)

Am not sure how to write the condition. For now this is what I wrote.
{
  "Version": "20212-10-17",
  "Statement: : [
      {
  "Sid": "IOTPermissions",
  "Effect": "Allow",
 "Action": [
  "iot:CreateKeysAndCertificate",
  "iot:CreatePolicyVersion"
   ],
  "Resource": "arn:${Partition}:iot:${Region}:${Account}:*/*"
 }
]
}

I know how to write or use the condition if the action supports based on documentation

I want to use either aws:ResourceTag/aws:RequestTag/aws:TagKeys with some KeyValue (ex. Department is the Key and Value will be FinanceTeam)

Answer

Hello.

I think the policy would probably be something like this:  
When you look at the document table for "iot:CreateKeysAndCertificate", the resource is blank, so you cannot set anything other than "*".  
"iot:CreatePolicyVersion" allows you to specify "aws:ResourceTag" when the resource is "policy\*", so I thought it would be as follows.  
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html  
```
{ 
    "Version": "20212-10-17", 
    "Statement": [
        {
            "Sid": "IOTPermissions", 
            "Effect": "Allow",
            "Action": [
                "iot:CreateKeysAndCertificate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "test",
            "Effect": "Allow",
            "Action": [
                "iot:CreatePolicyVersion"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Department": "FinanceTeam"
                }
            }
        }
    ]
}
```

IAM Policy Question using conditions

관련 콘텐츠