By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SCP policy to deny all actions on specific tag based resources

0

Hi, I'm trying to create a SCP to prevent users from modifying specific resources based on a specific tag. This is the policy I've applied, but I can still modify name, tags and other on the different resources that should be restricted.

"Sid": "DenyAllActionsOnControlTowerTaggedRessources", "Effect": "Deny", "Action": [ "" ], "Resource": [ "" ], "Condition": { "StringLike": { "aws:ResourceTag/cloudformation:stack-name": ["StackSet-AWSControlTower*"] }

I'm hoping from some advice. Thank you.

Topics
Management & Governance
Tags
TaggingService Control Policy
Language
English
RoxTeo
asked 7 months ago891 views
1 Answer
0

Hi RoxTeo.

I think the problem might be with how you defined the policy. I'm not sure if you were redacting the policy, but actions and resources should have an asterisk (*) if you want to include all actions/resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
             "Sid": "DenyAllActionsOnControlTowerTaggedRessources", 
             "Effect": "Deny", 
             "Action": "*", 
             "Resource": "*", 
             "Condition": { 
                   "StringLike": { 
                         "aws:ResourceTag/cloudformation:stack-name": ["StackSet-AWSControlTower*"] 
                   }
             }
         }
}

Here are some examples of SCPs with tags. Also note that using StringLike will cause the condition to do case-sensitive evaluations. Per the documentation:

StringLike Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches.

Note If a key contains multiple values, StringLike can be qualified with set operators—ForAllValues:StringLike and ForAnyValue:StringLike. For more information, see Multivalued context keys.

I hope this helps.

profile pictureAWS
EXPERT
Jose Guay
answered 7 months ago
  • RoxTeo
    7 months ago

    Hi Jose,

    Thank you very much for the reply. Indeed, something happed with the policy while editing the message. My policy looks exactly like the one you posted and it's part of bigger one also denying other operations on the account. For the StringLike condition, the tag starts with "StackSet-AWSControlTower" and then the is a random string.

    Shouldn't this policy deny all action (e.g. name change of the ressource etc) on the identified resources?

    Thank you!

  • Bobk
    7 months ago

    I have a similar problem. I want to restrict and role, except for a specified one with wildcards, not to be able to provision, update or terminate service catalogue products, where the product being launched has a tagkey = environment and a tagvalue = prod, any other value should be allowed. With the below policy, I have tried both "ResourceTag" and RequestTag", also for the principal, I have tried "ArnNotLIke". I can only get prevent the creation, but it can still update and terminate existing provisioned products.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "cloudformation:*",
        "servicecatalog:UpdateProvisionedProduct",
        "servicecatalog:TerminateProvisionedProduct"
      ],
      "Resource": [
        "arn:aws:cloudformation:*:*:stack/SC*",
        "arn:aws:servicecatalog:*:*:stack/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/environment": "prod"
        },
        "StringNotLike": {
          "aws:PrincipalARN": [
            "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_administrators*"
          ]
        }
      }
    }
  ]
}

    When using the "ResourceTag" option, I also get a warning about this problem. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-deny-with-unsupported-tag-condition-key-for-service

    Any ideas?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content