1 回答
- 最新
- 投票最多
- 评论最多
0
Hello @Serhii!
Yes it's possible to deny actions on tagged resources, but the condition is different. I got it to work with the following condition:
"Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" }
The following example policy denies anyone who has it attached of deleting S3 objects in a specific bucket if object is tagged with env:prod.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::your-bucket/*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" } } } ] }
This is an IAM policy, so make sure that you attach it to roles, groups or users that you want to prevent from taking actions on the tagged resources.
If you want an S3 resource policy, it's a little different, you must specify the principal:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" } } } ] }
Hope this help you,
Let me know if have any further questions.
已回答 9 个月前
相关内容
AWS 官方已更新 2 年前
