使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

SCP policy to deny all actions on specific tag based resources

0

Hi, I'm trying to create a SCP to prevent users from modifying specific resources based on a specific tag. This is the policy I've applied, but I can still modify name, tags and other on the different resources that should be restricted.

"Sid": "DenyAllActionsOnControlTowerTaggedRessources", "Effect": "Deny", "Action": [ "" ], "Resource": [ "" ], "Condition": { "StringLike": { "aws:ResourceTag/cloudformation:stack-name": ["StackSet-AWSControlTower*"] }

I'm hoping from some advice. Thank you.

主題
管理與治理
標籤
標記服務控制政策
語言
English
RoxTeo
已提問 8 個月前檢視次數 967 次
1 個回答
0

Hi RoxTeo.

I think the problem might be with how you defined the policy. I'm not sure if you were redacting the policy, but actions and resources should have an asterisk (*) if you want to include all actions/resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
             "Sid": "DenyAllActionsOnControlTowerTaggedRessources", 
             "Effect": "Deny", 
             "Action": "*", 
             "Resource": "*", 
             "Condition": { 
                   "StringLike": { 
                         "aws:ResourceTag/cloudformation:stack-name": ["StackSet-AWSControlTower*"] 
                   }
             }
         }
}

Here are some examples of SCPs with tags. Also note that using StringLike will cause the condition to do case-sensitive evaluations. Per the documentation:

StringLike Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches.

Note If a key contains multiple values, StringLike can be qualified with set operators—ForAllValues:StringLike and ForAnyValue:StringLike. For more information, see Multivalued context keys.

I hope this helps.

profile pictureAWS
專家
Jose Guay
已回答 8 個月前
  • RoxTeo
    8 個月前

    Hi Jose,

    Thank you very much for the reply. Indeed, something happed with the policy while editing the message. My policy looks exactly like the one you posted and it's part of bigger one also denying other operations on the account. For the StringLike condition, the tag starts with "StackSet-AWSControlTower" and then the is a random string.

    Shouldn't this policy deny all action (e.g. name change of the ressource etc) on the identified resources?

    Thank you!

  • Bobk
    7 個月前

    I have a similar problem. I want to restrict and role, except for a specified one with wildcards, not to be able to provision, update or terminate service catalogue products, where the product being launched has a tagkey = environment and a tagvalue = prod, any other value should be allowed. With the below policy, I have tried both "ResourceTag" and RequestTag", also for the principal, I have tried "ArnNotLIke". I can only get prevent the creation, but it can still update and terminate existing provisioned products.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "cloudformation:*",
        "servicecatalog:UpdateProvisionedProduct",
        "servicecatalog:TerminateProvisionedProduct"
      ],
      "Resource": [
        "arn:aws:cloudformation:*:*:stack/SC*",
        "arn:aws:servicecatalog:*:*:stack/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/environment": "prod"
        },
        "StringNotLike": {
          "aws:PrincipalARN": [
            "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_administrators*"
          ]
        }
      }
    }
  ]
}

    When using the "ResourceTag" option, I also get a warning about this problem. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-deny-with-unsupported-tag-condition-key-for-service

    Any ideas?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容