2 Answers
- Newest
- Most votes
- Most comments
5
One way to approach this problem could be as follows :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": { "StringEquals": 'aws:RequestTag/owner': "${aws:PrincipalTag/owner}" }
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": { "StringEquals": 'aws:ResourceTag/owner': "${aws:PrincipalTag/owner}" }
}
]
}
You can have multiple "Allow" constructs in a single IAM statement. Either of these could allow the action.
answered 3 years ago
Oh duh lol Why didnt I think of this.
1
Create two separate statements:
{
"Sid": "AllowUnlessOwnedBySomeoneElse",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
"Condition": {
"StringEquals": {
"aws:RequestTag/owner": "${aws:PrincipalTag/owner}",
}
}
},
{
"Sid": "AllowUnlessOwnedBySomeoneElse2",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
"Condition": {
"StringEquals": {
"aws:ResourceTag/owner": "${aws:PrincipalTag/owner}"
}
}
}
Make sure you also have a look at the page that details which services do and don't support ABAC as well.
THanks, I should have thought of this.
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 10 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 3 years ago
As this snippet looks somewhat familiar :-) I should comment why there is AND, not OR. Condition is to state your API request must have the same owner=value as the resource does. Original version had
StringEqualsIfExists
to allow those cases where owner -tag isn't present or doesn't make sense. I'm not sure what would be the use-case for OR, as your requestTag comparision will always be true if you have tagged the IAM user or role you are using?