Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Enforce Tags SCP for DynamoDB is not working

0

Hi, I followed this official guide from aws in order to implement a tagging strategy for resources in my AWS Organization https://aws.amazon.com/de/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

The example is for EC2 instances, I followed all steps and this worked, however when I wanted to replicate the steps for S3, RDS and DynamoDB it did not work.

The following is the SCP I want to use in order to enforce the tag test to be on every created dynamodb table. This is exactly how it is done in the Guide for EC2.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Deny",
			"Action": [
				"dynamodb:CreateTable"
			],
			"Resource": [
				"arn:aws:dynamodb:*:*:table/*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/test": "true"
				}
			}
		}
	]
}

However when I try to create a DynamoDB Table with the tag test I get the following error message. I am passing the tag test, however I still get a deny.

User: arn:aws:sts::<account>:assumed-role/<role>/<email> is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:eu-central-1:<table>:<table> with an explicit deny.

I tried creating this SCP for the Services RDS, S3 and DynamoDB, only EC2 seems to work.

Do you have an idea what the error could be or is anyone using this tagging strategy in their AWS Organization/AWS Control Tower. Would be interested to hear what your experience is as this seems really complicated to me to implement and does not work so far.

Looking forward to hear form you people :)

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
IAM PoliciesAWS OrganizationsAWS Control Tower
Language
English
asked 4 years ago463 views
2 Answers
0

Hello,

From your query description, I understand you noticed that you have been trying to enforce tagging strategy using Service Control Policy (SCP) for resources in your AWS organization using the reference document [1] providing example for EC2 instances.

However, you were not able to replicate the same for other resources like DynamoDB tables, RDS cluster and S3 buckets. Please, let me know if my understanding is incorrect.

The cause for the same is that not all AWS services does not support Tag Based Access Control .In order to check whether an AWS service supports authorization based on tags, see the following document “AWS services that work with IAM” and look for the services that have Yes in the Authorization based on tags (ABAC) column. Choose the name of the service to view the authorization and access control documentation for that service. [2]

Thus, looking into the list, I could validate that DynamoDB does not support ABAC while Amazon S3 supports tag-based authorization for only object resources. However, I was able to enforces tags based authorization for the RDS cluster using the SCP below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Deny",
      "Action": ["rds:CreateDBCluster"],
      "Resource": ["arn:aws:rds:*:*:cluster:*"],
      "Condition": {
        "Null": {
          "aws:RequestTag/test": "true"
        }
      }
    }
  ]
}

I hope this helps. If you need further info, let me know in the comments; otherwise I'd appreciate if you mark my answer as "ACCEPTED".

Kind regards,

Arpit C.

References:

[1] Implement AWS resource tagging strategy using AWS Tag Policies and Service Control Policies (SCPs)

[2] AWS services that work with IAM

AWS
answered 2 years ago
0

DynamoDb does now support ABAC: https://aws.amazon.com/about-aws/whats-new/2024/09/amazon-dynamodb-attribute-based-access-control/

However, you must enable it in order to get it to work. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/abac-enable-ddb.html

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content