By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM Condition: aws:RequestTag/${TagKey} in read API operations?

0

I am trying to create an SCP to enforce the use of specific tags when creating resources. While I was working on finding supported API actions I found in Amazon SES - Mail Manager that certain Read actions supported the aws:RequestTag/${TagKey}. One example being ses:GetAddonInstance.

I thought that this condition was utilized in a manner that enforced the use of specific tag keys/values in the request when either creating/updating a resource? Why would this be supported in these read actions when the tag would not be either modified or created? I would think this would be instead aws:ResourceTag/${TagKey} which would make sense.

Here is the service authorization reference for SES - Mail Manager: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservice-mailmanager.html#amazonsimpleemailservice-mailmanager-aws_RequestTag___TagKey_

Here is the API request syntax for this particular action: https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_GetAddonInstance.html

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementTagging
Language
English
DeityBnB
asked 21 days ago53 views
1 Answer
0

You're correct in your understanding that the aws:RequestTag/${TagKey} condition key is typically used to enforce specific tags when creating or updating resources. It's unusual to see this condition key supported for read operations like ses:GetAddonInstance.

In general, aws:RequestTag/${TagKey} is used to control which tag key-value pairs can be included in a request when creating or modifying resources. For read operations, we would indeed expect to see aws:ResourceTag/${TagKey} instead, as this condition key is used to control access based on tags that are already attached to existing resources.

The support for aws:RequestTag/${TagKey} in read operations for Amazon SES Mail Manager, such as ses:GetAddonInstance, is atypical. This could potentially be an error in the documentation or an unusual implementation specific to this service.

Given that the API request syntax for GetAddonInstance doesn't show any parameters for including tags in the request, it's even more puzzling why aws:RequestTag/${TagKey} would be supported for this action.

If you need to control access based on tags for these read operations, it would be more logical to use aws:ResourceTag/${TagKey} in your policies. This would allow you to restrict access based on the tags that are actually attached to the addon instances.

For your SCP to enforce the use of specific tags when creating resources, you should focus on the create and update actions that typically support aws:RequestTag/${TagKey}. For read actions, it's generally more appropriate to use aws:ResourceTag/${TagKey} if you need to control access based on existing tags.

If this inconsistency is critical for your use case, you may want to contact AWS support for clarification on the specific behavior of aws:RequestTag/${TagKey} for these read actions in Amazon SES Mail Manager.
Sources
Controlling access to AWS resources using tags - AWS Identity and Access Management
Using attribute-based access control in Lambda - AWS Lambda
Using attribute-based access control for tag-based access authorization with Amazon DynamoDB | AWS Database Blog

profile picture
re:Post Agent
answered 21 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content