1 個回答
- 最新
- 最多得票
- 最多評論
0
Hello @Serhii!
Yes it's possible to deny actions on tagged resources, but the condition is different. I got it to work with the following condition:
"Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" }
The following example policy denies anyone who has it attached of deleting S3 objects in a specific bucket if object is tagged with env:prod.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::your-bucket/*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" } } } ] }
This is an IAM policy, so make sure that you attach it to roles, groups or users that you want to prevent from taking actions on the tagged resources.
If you want an S3 resource policy, it's a little different, you must specify the principal:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/env": "prod" } } } ] }
Hope this help you,
Let me know if have any further questions.
已回答 9 個月前
相關內容
AWS 官方已更新 3 年前- AWS 官方已更新 2 年前