Prevent tag changes unless a specific user or lambda function?

Question

Hello,

I'm trying to prevent certain tags from being edited unless they are part of an admin group or a lambda function. I've used an scp to be able to do this as far as users, however, it prevents the lambda function from editing or adding any tags.

Is there any way to go about preventing changes to specific tags via an SCP unless an approved group role or lambda function? Or is there a better option than using an SCP?

Answer

Hello,
Another thing to keep in mind is that each service has their own tagging action, so you need to make sure that each tagging action for each service is restricted in the SCP. You can view the list of services and their actions within this doc: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html

Additionally, for the conditions on restricting it to specific roles are a lambda function, they may want to use conditions such as these:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn

Answer

Hello.  
As I answered in the following post, I think it can be controlled by using "Condition".  
The "aws:PrincipalArn" can be controlled by setting it to the ARN of the IAM role used by Lambda.  
https://repost.aws/questions/QUaLMr8nNLRIS4-gol-sknMQ/prevent-function-deletion#ANzwYUljYfSzqiBIyWqrkdyQ

Prevent tag changes unless a specific user or lambda function?

Relevant content